Understanding Security Management in Web ServicesWith the increasing popularity and demand of performing business transactions over web, it has become a necessity to create efficient as well as secure web applications. There should be efficient security management so that clients sensitive data could be saved from the malicious attacks and other threats. So security management is very crucial aspect while developing a web application. In a J2EE application, we use security features that run in the JVM itself. A security manager object can be implemented in the application which can utilize the security features of JVM. For creating secure applications, all programs within the application should obey some rules.
These rules are also called permissions. In addition to the default JVM security features there are some java packages also which provide security features within an application. These are java.security package and javax.crypto package. Security API has Java Cryptography Architecture (JCA) and crypto API has Java Cryptography Extension (JCE). Both of these implement different cryptographic algorithms to enforce security in the application. Digital signatures and certificates are other means of implementing security features. We can correlate the security in web services with the security provided by operating systems. In operating systems we have users, roles and group of users. Also in web applications, a user is assigned login id and password for the authentication. But this method of form based authentication is not capable of providing high degree of security, because id and password are transmitted over internet in an unencrypted format. So to ensure secure transmission, SSL is used. SSL stands for Secure Socket Layer which uses data encryption techniques and also private and public keys for avoiding the risk of decoding by hackers. Now we will discuss about the cryptographic techniques of providing security from the programming point of view. In java Security API we have different classes and interfaces which implement a secure framework for the application. Let us discuss some them to understand the actual security implementation within the program. We have class AcsessController which controls the decisions about access permissions. Some of the other classes are Permission, Policy and Provider. Permission and Policy are abstract classes which represent access to system resources and system security policies respectively. Provider class represents a provider which will actually implement security in an application. There is another class Signature which implements digital signature algorithms. There are some interfaces also like Key and Principal which provide the interface to all keys and entities (like a user id) respectively. So to achieve high degree of security in an application we have to use the programmatic security techniques also in addition to the security features of JVM. It would be good to discuss some methods too which implement the programmatic security. There is method getRemoteUser() which provide the remote user name. Next is getUserPrincipal() which provides the principal user object.
|