XWSS.org Home
Last Updated: Mar 18, 2007
Bookmark XWSS.org!
and stay current
Home » Articles » Security Model for Web Services

Dev Java
Security Model for Web Services


A key benefit of the emerging web services architecture is the ability to deliver integrated, interoperable software solutions using web-based standards. Ensuring the security of web services through a comprehensive security model is critical, both for organizations and their customers.

In today's business world, only few web services will want to make themselves available to any client that happens to come calling. Client authentication is necessary to ensure that only legitimate clients can use the service. The rest need to be denied access to the service.

Given this requirement, how are we going to obtain the login credentials from the client application to the web service? We have two options here: SOAP Header, HTTP Basic Authentication header. Either mode, the web service will be able to read the header for the login information. The next issue here is how to maintain a session once the client is authenticated. To solve this, we may employ token-based security model. Upon successful authentication of the client application, a security token [specifically a sort-of GUID that gets generated upon successful validation that is encrypted using a symmetric cryptographic algorithm] may be returned to the client application via HTTP Cookie header. This guarantees that the security token will be part of all subsequent client requests. To prevent hackers from using hijacked tokens, a time-stamp may be associated [typically 30 minutes] with the tokens.

Authentication by itself does not guarantee a complete security model. Authorization [a process of determining the entitlements of the requestor] is a key security element that together with Authentication guarantees a comprehensive solution. Once a principal's identity is authenticated, authorization decisions can be made. It is common for clients to have different degrees of access. For example, some clients may be allowed full access while others may be restricted to a read-only access. This policy gets extended to method invocations on web services. Access is typically determined by checking information about the principal against some access control information, such as an Access Control List [ACL]. The request is either granted or denied. A request that is granted proceeds in the nominal execution path while a denial message is communicated for denied requests.

Thus, this article discussed the motivation behind developing a security model for Web Services together with the details of implementing a token-based security model that addresses the two major security components, namely Authentication and Authorization.



Advertise with Us | Privacy Statement Copyright 2002-2007 XWSS.org All Rights Reserved
Terms of Use