Why are separate standards needed for Web Service security?
Why WS security is needed to provide tokens开发者_开发问答,signatures etc if there are ssl communication to achieve this purpose? How can WS security used to provide integrity,confidentiality and authenticity that ssl can't provide?simply why ws secuirty(If possible can you provide any example)
If business partner of paypal using paypal's web service in its website.If that web service is asking for username and password of its customer,how paypal can protect customers data from there Business partners?How soap transaction can take place between customers,paypal and its business patners?plz can you explain how WS security concepts ( provide integrity, confidentiality,authenticity) in this case?
The main difference is that HTTP related security mechanisms secure the transport layer of the web service, and WS security addresses a higher level of abstraction.
similarly, you may have also security solutions in higher (for example: encrypt just a specific password field in a web service) or lower levels (like VPN)
Different scenarios will require different security measures in different layers
Some examples: Web Services are not limited to HTTP transport - your environment may include other transports (like messaging using JMS, MSMQ, etc). setting up security at the Web Services layer (rather then the transport layer) will allow you to use a common mechanism for the whole environment.
Another issue is that http level security information is "pealed" as you go higher in the Web Services Stack - for example, in many places you wont be accessing the service provider directly, but through a central ESB (Enterprise Service Bus). the ESB acts as a central hub for services, and may also perform tasks such as logging, routing, publishing to multiple service endpoints, etc. When using an ESB the http connection is broken at the ESB, and the service gets a new http connection originating from the ESB - thus http security mechanisms cannot offer end-to-end security. WS Security information however can be preserved even if the messages are routed through an ESB
What you describe in you last comment appears to be not related to the previous answer
Do you mean they have a mechanism like OpenID or kerberos, where you can use your credentials from one site to access a different site? This isn't specific to web services, and there are various existing protocols to do it (my guess is that they use an existing protocol). Of course a similar mechanism can be developed using WS Security standards. The kerberos protocol for example works like this: 1. The user authenticates to the security server 2. the security server replies with a signed message (called ticket) saying "the user 123 has been authenticated" 3. The user uses this message to prove that he is indeed user 123 to the 2nd site, without the need for the 2nd site to actually get his username password. This protocol is based on encryption and cryptographic signatures - both are available using WS security.
SSL (TLS) security will protect the user from eavesdropping. But it won't protect you (your site) from malicious users. You're still vulnerable to buffer overflows, SQL injection and so on.
For a great example watch the "How I met your girlfriend" talks by Samy Kamkar at Defcon (shorter) and at Blackhat (longer). Samy explains using web application vulnerabilities to breaking into an account (in this case it's Facebook) of someone who uses SSL.
The main difference between SSL and WS-Security is, SSL is transport level but WS-Security is message level... In other words when you use SSL - as soon as the message left the transport channel - its not secured. But with WS-Security message will be still secured and message security is independent from the transport channel.
With WS-Security,
- Authentication --> UsernameToken
- Non-repudiation --> Signature [XML
- Signature/WS-Security] Confidentiality --> Encryption [XML Encryption/WS-Security]
- Integrity --> Signature [XML Signature/WS-Security]
Pure SSL provides Authentication/Confidentiality and Integrity - but not Non-repudiation.
2-legged OAuth is a standard to support Non-repudiation over SSL.
Thanks...
WS or Web Service Security is an extension of SOAP which applies security to different web services. Ws-Security uses XML signatures and encryption to provide end to end security. Main focus of this protocol is to specify how integrity and confidentiality can be enforced in messages exchanges between user and service provider on web such as Paypal. This service also allows communication of different security token formats like SAML, X.509, Kerberos etc. Unlike HTTP protocol which mainly focuses on providing security at transport level, WS security mechanism implements higher level of abstraction in application layer and provide encrypted security solution.
Since need of security is different on every platforms, these two standards focuses to meet distinguish need of such security platforms. With the help of this security, end to end security, non- repudiation, reverse proxy, transport bindings etc are improved.
In general terms you can say that this service is another method to provide better security to data exchange platforms and user’s privacy. There are many other services/software which does same task like TOR (provides integrity to user privacy), ScrapeSentry (a service which provide security from bad bot traffic and spam), Distil Network (another service to block spam on web spam) etc. However concept of every security mechanism is different but their main motive is to provide constant and reliable security to user as well as businesses.
Good day people,
the SSL/TLS technology is a security technology. Its goal is to protect the user from having his/her information (credit card, address, tel number...) being stolen by a hacker. The SSL certificate will protect the website and each person who connects on the website will be sure to have a secured environment.
The quality of the security depends on the type of certificate installed on the website in question, whether it is DV (Domain Validation), OV (Organization Validation), EV (Extended Validation), if the SGC technology is present or not.
If you have any other questions, you can have more details here.
精彩评论