WSS - Over views.

Overview of web Service Security

 

1. Wire-level Security

1) The client and Service need insurance for client and service sides

2) the sent data need be encrypted

3) the data should be integrity. The send data should be the same as the received data.

 

2. Authentication and Authorization

For Authentication, we need some credential information, like username and pin

 

For Authorization, if the user has passed authentication, you could get access the resource based on his role

 

HTTPs(Hyper text transport protocol over Secure Socket Layer), for now SSL has been renamed to TLS(Transport layer Security). But they differ in version number and 一些技术细节。

 

 

Https provider three critical security service over the transport services that HTTP proivdes

a. Peer Authentication -- mutual authentication or mutual challenge.

b. Confidentiality - make the  sent messages secrit by encrypting technology

c. Integrity - the sent and received message should be same, if not, the difference should be detected

 

 Peer Authentication ---it is finished by exchanging the certificates, But in many cases, it is only the client that challenge the server.

eg> 1>The customer's browser chanllenge the vendor's web server to authenticate itself and the 

the server response by sending one or more digital certificates to the browser.

2>The browser check the web server's digital sertificates against the brower's trust-store which is a database of digital certificates that the browser trusts.

3> the server typically does not chanlllenges the browser.

 

   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443" 

SSLEnabled="true"
   maxThreads="150"
   scheme="https"
   secure="true"
   clientAuth="false"
   sslProtocol="TLS" 
   keystoreFile="/conf/server.keystore"
   keystorePass="123456" />

  "clientAuth" is set to false, which tell tomcat does not chanllenge the client.