background image

Security Challenges and Threats

<< WS-I Specifications | Using Message Security with Java EE >>
<< WS-I Specifications | Using Message Security with Java EE >>
240
S
ECURING
W
EB
S
ERVICES
The Basic Security Profile provides guidance on the use of WS-Security
and the User Name and X.509 security token formats.
· REL Token Profile
The REL Token Profile is the interoperability profile for the Rights
Expression Language (REL) security token that is used with WS-Secu-
rity.
· SAML Token Profile
This is the interoperability profile for the Security Assertion Markup Lan-
guage (SAML) security token that is used with WS-Security.
· Security Challenges, Threats, and Countermeasures
This document identifies potential security challenges and threats in a
web service application, and identifies appropriate candidate technologies
to address these challenges. The section Security Challenges, Threats, and
Countermeasures (page 240) discusses the challenges, threats, and coun-
termeasures in a bit more detail.
Security Challenges, Threats, and
Countermeasures
The WS-I document titled Security Challenges, Threats, and Countermeasures
can be read in its entirety at
http://www.ws-i.org/Profiles/BasicSecu-
rity/SecurityChallenges-1.0.pdf
. Table 8­1 attempts to summarize many
of the threats and countermeasures as an introduction to this document.
Table 8­1 Security Challenges, Threats, and Countermeasures
Challenge
Threats
Countermeasures
Peer Identification and
Authentication
falsified messages, man
in the middle, principal
spoofing, forged claims,
replay of message parts
-HTTPS with X.509 server authenti-
cation
-HTTP client authentication (Basic
or Digest)
-HTTPS with X.509 mutual authenti-
cation of server and user agent
-OASIS SOAP Message Security