Chapter 7 Security


309


7.3.1.1


Securing the Transport Layer


SSL and Transport Layer Security (TLS) are key technologies in Web service inter 


actions, and it is important to understand how to establish an SSL/TLS protected


interaction and authenticate clients. Note that TLS is an enhanced specification


based on SSL. References to SSL refer to both SSL and TLS.


SSL is a standard mechanism for Web services that is available on virtually all


application servers. This widely used, mature technology, which secures the com 


munication channel between client and server, can satisfy many use cases for


secure Web service communications. Since it works at the transport layer, SSL


covers all information passed in the channel as part of a message exchange


between a client and a service, including attachments. 


Authentication is an important aspect of establishing an HTTPS connection.


The J2EE platform supports the following authentication mechanisms for Web


services using HTTPS:


  The server authenticates itself to clients with SSL and makes its certificate 


available.


  The client uses basic authentication over an SSL channel.


  Mutual authentication with SSL, using the server certificate as well as the cli 


ent certificate, so that both parties can authenticate to each other.


While browser based Web applications rely on these same authentication


mechanisms when accessing a Web site, Web services scenarios have some addi 


tional considerations. With Web services, the interaction use case is usually


machine to machine; that is, it is an interaction between two application compo 


nents with no human involvement. Machine to machine interactions have a differ 


ent trust model from typical Web site interactions. In a machine to machine


interaction, trust must be established proactively, since there can be no real time


interaction with a user about whether to trust a certificate. Ordinarily, when a user


interacts with a Web site via a browser and the browser does not have the certifi 


cate for the site, the user is prompted about whether to trust the certificate. The


user can accept or reject the certificate at that moment. With Web services, the


individuals involved in the deployment of the Web service interaction must dis 


tribute and exchange the server certificate, and possibly the client certificate if


mutual authentication is required, prior to the interaction occurrence. Since an


interoperable standard for Web service certificate distribution and exchange does








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      
 

    

  

  




Our web partners:
Inexpensive 
Web Hosting 



Java Web Hosting


personal webspace


webspace php 


linux webhost
 




 html web templates




DreamweaverQuality Web Templates


PSD Web Templates
 





cheap webhost


j2ee web Hosting


buy webspace


ftp webspace


adult webspace
 





frontpage WebHosting


webspace hosting


cheap webhost


Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved



aol web hosting