Using Message Security with Java EE

<< Security Challenges and Threats | Application Server Message Security >>

SING

ESSAGE

ECURITY WITH

AVA

241

As you can see from the countermeasures that are recommended in the table and
in the document, the use of XML Encryption and XML Digital Signature to
secure SOAP messages and attachments is strongly recommended by this orga-
nization. Using Message Security with Java EE (page 241) discusses some
options for securing messages with Java EE.

Using Message Security with Java EE

Because message security is not yet a part of the Java EE platform, and because
message security is a very important component of web services security, this
section presents a brief introduction to using both the Application Server's Web
Services Security (WSS) and the Java WSDP's XML and Web Services Security
(XWSS) functionality.

· Using

Implementation (page 242)

· Using the Java WSDP XWSS Security Implementation (page 247)

Data Origin Identifica-
tion and Authentication

falsified messages, man
in the middle, principal
spoofing, forged claims,
replay of message parts

-OASIS SOAP Message Security
-MIME with XML Signature/XML
Encryption
-XML Signature

Data Integrity (includ-
ing Transport Data Integ-
rity and SOAP Message
Integrity)

message alteration,
replay

-SSL/TLS with encryption enabled
-XML Signatures (as profiled in
OASIS SOAP Message Security)

Data Confidentiality
(including Transport
Data Confidentiality and
SOAP Message Confi-
dentiality)

confidentiality

-SSL/TSL with encryption enabled
-XML Signatures (as profiled in
OASIS SOAP Message Security)

Message Uniqueness

replay of message parts,
replay, denial of service

-SSL/TLS between the node that
generated the request and the node
that is guaranteeing
-Signing of nonce, time stamp

Table 81 Security Challenges, Threats, and Countermeasures (Continued)

Challenge

Threats

Countermeasures