WS-Security: is it really that simple?

The specifications for Web Services Security (WS-Security) has been around for years, but until recently it isn’t widely used. Web Services are still often secured at the transport level, i.e. securing the communication channel between the web service and it’s client. While this can provide confidentiality, integrity and authentication at some level, it does have some serious shortcomings. Especially when a message travels through intermediate nodes before reaching it’s intended receiver. Authenticating the initial sender of the message instead of the server that hosts the final web service client, can’t be done easily. Although recently WS-Security is used more and more, projects still often prefer the “simpler” solution, because WS-Security message-level security is “too complicated”.

This session will show that the complexity of WS-Security is more in the theory and the specification than in the practical application of this standard. After quickly explaining the theory, it will provide an overview of the available frameworks that make WS-Security life easier. This is demonstrated by a real life example, which will also dive into the code level. Finally the maturity of the frameworks and some best-practices and lessons learned will be discussed to get you right up to speed.

Eelco Klaver  E.Consulting Eelco Klaver is sinds 2006 werkzaam als senior consultant bij E.Consulting, wat zich specialiseert in Enterprise Java consultancy en training. Hij houdt zich hier bezig met Enterprise Java architectuur, security workshops, software reviews en security audits. Eelco heeft ruim 11 jaar hands-on ervaring met het ontwikkelen van enterprise applicaties in Java en J2EE bij verschillende werkgevers en voor diverse grote opdrachtgevers. De laatste jaren heeft hij zich gespecialiseerd in de beveiligingsaspecten van op J2EE gebaseerde enterprise applicaties.