Securing Web Service Endpoints
232
S
ECURING
W
EB
S
ERVICES
Securing Web Service Endpoints
Web services can be deployed as EJB endpoints or as web (servlet) endpoints.
Securing web service endpoints is discussed in the following chapters:
· For information on securing web service endpoints of an enterprise bean,
· For information on securing web service endpoints of web components,
Overview of Message Security
Java EE security is easy to implement and configure, and can offer fine-grained
access control to application functions and data. However, as is inherent to secu-
rity applied at the application layer, security properties are not transferable to
applications running in other environments and only protect data while it is
residing in the application environment. In the context of a traditional applica-
tion, this is not necessarily a problem, but when applied to a web services appli-
cation, Java EE security mechanisms provide only a partial solution.
The characteristics of a web service that make its security needs different than
those of other Java EE applications include the following:
· Loose coupling between the service provider and service consumer
· Standards-based
(read
· Uses XML-formatted messages and metadata
· Highly-focused on providing interoperability
· Platform and programming language neutral
· Can use a variety of transport protocols, although HTTP is used most often
· Supports interactions with multiple hops between the service consumer
and the service provider
