In the context of security in Web Applications, predominantly there are 3 layers:
1. Message Layer Security
2. Transport layer Security
3. Application Layer Security
Message Layer Security: Encrypting message[XML] in SOAP request. This can be made possible with SOAP. But not REST.
Consider a message/request travelling from on client to a server. But not that, there will be intermediate nodes in between which might do one or more of intercept, process and forward the message.
The SOAP request contains some encrypted portions, only the intended server can only process and read. No other intermediate server can process. This can be achieved by WS-Security Specification by J2EE.
Major advantage is that even though TLS is broken, Message(SOAP) cant be decoded by attacker which is another layer of security. Hence, SOAP security is independent of Protocol-Security.
Transport Layer Security:
TLS is the successor of SSL. Part of TCP/IP or OSI.
The channel of message communication is encrypted. But if an attacker hack the TLS layer encryption, access to actual message is easy which is not possible in SOAP.
*How to configure TLS:
At server end, Server.xml config file need to be modified to enable TLS Security.
Application Layer Security:
The security constraints which imply on the login credentials of the User/Client. This is composed of
1. Basic Authentication: Login ID and Pwd
2. Authorization: Roles and Privileges mapping
3. SAML and oAuth
These are coded as part of Web Application's Servlet and other security component
1. Message Layer Security
2. Transport layer Security
3. Application Layer Security
Message Layer Security: Encrypting message[XML] in SOAP request. This can be made possible with SOAP. But not REST.
Consider a message/request travelling from on client to a server. But not that, there will be intermediate nodes in between which might do one or more of intercept, process and forward the message.
 |
| SOAP Request Travel Path |
Major advantage is that even though TLS is broken, Message(SOAP) cant be decoded by attacker which is another layer of security. Hence, SOAP security is independent of Protocol-Security.
Transport Layer Security:
TLS is the successor of SSL. Part of TCP/IP or OSI.
 |
| TLS Security |
*How to configure TLS:
At server end, Server.xml config file need to be modified to enable TLS Security.
Application Layer Security:
The security constraints which imply on the login credentials of the User/Client. This is composed of
1. Basic Authentication: Login ID and Pwd
2. Authorization: Roles and Privileges mapping
3. SAML and oAuth
These are coded as part of Web Application's Servlet and other security component
No comments:
Post a Comment