[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    Re: need help with Web Services security
From:       Steve Shah <sshah () planetoid ! org>
Date:       2004-04-06 3:27:54
Message-ID: 20040406032754.GC51402 () marvin ! planetoid ! org
[Download RAW message or body]

Hi Tal,

> I'm trying to find the best way to secure Web Services which will run on
> .NET and Websphere 5.
> 
> I need a secure authentication between the applications, integrity and
> confidentiality of the messages.
> 
> I know the WS-Security recommendations, but I need something more accurate
> that is supported by the two platforms above.
> 
> I'm currently thinking about using a Kerberos server (as for Kerberos
> tickets) and SSL-2. 

Keep it simple. If it is a B2B application, consider SSL with client
side certificates and authenticated access. Authentication should be
standards based on HTTP (e.g. Digest Auth). This will give you the 
maximum flexibility in terms of available tools and interoperability
in the future. 

HTTP and SSL also give you the benefit of a lot of acceleration 
options in the future. (e.g. SSL acceleration, TCP offload, etc.)

Cheers,
-Steve

-- 
Steve Shah
sshah@planetoid.org - http://www.planetoid.org/
Beating code into submission, one OS at a time...
[prev in list] [next in list] [prev in thread] [next in thread]