Monday, June 05, 2006

Java SDK for Web Services Security

Came across this announcement from Forum Systems on the JDJ website about their release of a Java SDK for Web Services security:

Forum Systems Releases Java Web Services Security
— Forum released the Forum Java Web Services Security (JWSS) Software Development Kit (SDK) version 1.0 offering developers a comprehensive library of application programming interfaces (API's) to leverage in coding Web Services applications. The JWSS SDK v1.0 addresses the need for security to be enforced within the application itself in order to ensure privacy and integrity of Web Services and SOA applications.
Haven't had a chance to actually check out the SDK but there's definitely a need for those types of tools. Sun has their own set with the XWS Security that's part of the Java Web Services Developer Pack.

While I'm all for separation of concerns and not mixing security code in with the business logic code, there are definitely certain scenarios where you can't avoid it. Although I think they could have come up with a better example to justify when you may need to mix security logic in with your business logic. The example they used is to verify the origin of messages at the point of consumption to ensure that they were not physically intercepted. If that's what I needed to do, I would do that in a request interceptor that is deployed within the endpoint. Most web services toolkits allow you to set up request and response interceptors to do pre and post processing such as this. No need to mix this type of security code in with your business logic.

One scenario I have come across is when you have to make an authorization decision based on certain characteristics of the data that is being processed. In such cases, only the business logic understands the semantics of the data enough to make such a decision. So to do this you either have to put the security code into the business logic or you have to add business logic into your security code so that it understands the data semantics.

So the important questions for the guys at Forum Systems about this SDK are:
  • What standards/specifications is this SDK built on top of/compliant with?
  • What kind of interoperability tests have been conducted for Web Services that are secured using this SDK?
, ,
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)