axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "KUMAR,PANKAJ (HP-Cupertino,ex1)" <pankaj_ku...@hp.com>
Subject RE: SOAP and Security
Date Thu, 10 Apr 2003 23:44:36 GMT
Hi Raja,

You should be concerned about :
+ User Authentication -- Allow only valid users. Your options are 
  * use HTTPS with Mutual authentication (Secure but involves high
administration)
  * use username and password in SOAP header or body
     . over HTTP (not very secure)
     . over HTTPS (quite secure)
  * use XML-Signature (not very common, yet!)
+ User Authorization -- Don't know ehter you need this or not. This would be
the case if you wanted to restrict certain web services or features to
certain subscribers. You have some control through web.xml file and some by
invoking getRemoteUser() [or something equivalent].
+ Confidentiality and Integrity -- HTTPS should work for these. You could
also use XML-Encryption.
+ Parameter validation (especially if you are passing the parameters to
other programs like an RDBMS).
+ Input Size validation (especially if you take a URL as part of the request
and that URL) to avoid denial of service attacks.
+ ...

I have a presentation talking about some of these issues on my website at
http://www.pankaj-k.net/sd/west/2003/j2ee_security.pdf You may find it
helpful.

Thanks,
Pankaj Kumar.

> -----Original Message-----
> From: Bhattacharjee, Raja 
> [mailto:Raja.Bhattacharjee@GlobalCrossing.com]
> Sent: Thursday, April 10, 2003 4:09 PM
> To: 'axis-user@ws.apache.org'
> Subject: SOAP and Security
> 
> 
> I am trying to setup a SOAP service to be used over the 
> internet by another
> subscriber. What all security issues I should be concerned 
> with and what can
> I do to avoid those? Should I be publishing the service using 
> SSL and have a
> user authentication for each service embedding an ID/Password for each
> client an for each method? Any help will be appreciated.
> 
> Thanks
> 
> Raja
> 

Mime
View raw message