[Webappsec] Java Frameworks for Secured Web Services

Stephen de Vries stephen at twisteddelight.org
Thu Dec 20 05:47:16 EST 2007 

Hi,

> On 12/20/07, marcandre.laverdiere at tcs.com <marcandre.laverdiere at tcs.com 
> > wrote:
>>
>> Hello,
>>
>> I'm a 'traditional' security guy, and I'm having the chance of being
>> involved in a project that uses a lot of Web technologies, all  
>> coded in
>> Java. So, I'm out of my comfort zone in my own domain of expertise.  
>> Yay.
>>
>>
>> This project has already a pretty big codebase, developped without  
>> security
>> in mind, and I need to make proposals to change that.
>>
>> We have a web application that communicates to a server via web  
>> services. I
>> have a good idea on how to make the application safer, and putting
>> authentication/authorization there seems doable. There are nice  
>> libraries I
>> can use (such as HDIV) that will make it easy to deal with a lot of
>> problems.

The application architects have already chosen to work with a certain  
set of frameworks, so I'd recommend finding out what those frameworks  
are, and then researching the security features offered by them.  If  
they don't offer the services you require, then you could consider  
using a security specific framework.  The important thing IMO is to  
work closely with the architects and developers, as they'll be the  
ones implementing the security functionality.

>>
>> For the web service side of things, I feel like my brain wants to  
>> melt. The
>> OWASP document talks about those standards that leave me  
>> breathless. Are
>> there any platforms/middleware/libraries that I can use to secure  
>> this
>> thing? Can I implement some wrapper around the existing WS calls  
>> that would
>> have all the security (including access control) done, keeping the  
>> existing
>> code mostly untouched?

As above, first find out which frameworks were used to implement the  
web services layer.  The framework itself almost certainly has it's  
own access control facilities built in.

regards,
Stephen


>>
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail
>> message and/or attachments to it may contain
>> confidential or privileged information. If you are
>> not the intended recipient, any dissemination, use,
>> review, distribution, printing or copying of the
>> information contained in this e-mail message
>> and/or attachments to it are strictly prohibited. If
>> you have received this communication in error,
>> please notify us by reply e-mail or telephone and
>> immediately and permanently delete the message
>> and any attachments. Thank you
>>
>>
>>
>> _______________________________________________
>> Webappsec mailing list
>> Webappsec at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/webappsec
>>
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec

More information about the Webappsec mailing list