XML & Web services: Security questions from a newbie!!

  1. Security questions from a newbie!! (2 messages)

      Hi to all of you! I am new to XML WEB services techs and doing a project for my University.
      My main problem/consideration is how can I avoid using SSL Certificates and manage to do the secure transactions required by somehow securing the SOAP transfer to / from the client web browser - probably by uses an appropriate Java library if there is one out there!.
      Let me also try to explain to you what I am thinking of doing maybe you'll find something wrong in the whole thing too!!!
      My main idea is to have a set of JSP classes acting as the dynamic front-end of the system. Those JSPs together with a set of classes that do the business logic and jdbc connections will form the web-service. What i don't understand yet is how can i make the clients web-browser talk with my web-service by passing XML docs using SOAP and that also preferably securely!

    Please help as I feel well lost!!
    Thank you for your advice and help in advance!

    PS. Any thoughts are welcomed!
  2. If I understand you correctly, you seem to be a bit confused over the purpose of SOAP.

    SOAP is an XML encoding protocol which is well suited to RPC or message passing between peer computers. SOAP -- or rather XML generally -- is applicable when you have two systems which need to talk to each other, but they don't have an obvious common language (or you want to use XML for future ease-of-integration).

    It is particularly suited for peer-to-peer communication because you need an agent on both end intelligent enough to encrypt messages as SOAP messages, and interpret the received replies. Web browsers are not well suited for this; if your clients are always web browsers then you might as well stick to HTML. If your client is an application of some kind, then SOAP is a good way to go.

    If you want to "secure the SOAP connection" without using SSL, then you will need to use a protocol which manually encrypts the contents of your HTTP posts (containing the SOAP message) in some custom format. Unfortunately, I don't know of any libraries which do this, but it will require some customization of the client (some private key negotiation will need to be done somehow), limiting access to your web services to clients that have been configured for it.

    Hope this helps.
  3. Security questions from a newbie!![ Go to top ]

    You can secure your messages using encrypted payloads through S/MIMEv2 (or S/MIMEv3). A number of transports such as RosettaNet's RNIF and OASIS' ebXML already have specified standards for doing so.

    hope this helps you,