Hello guys!
My first post here! I wanted to get some community help on security of web services.
I’m doing a state of the art on web services security. I need every bit of a solution out there that solves concerns about identification, access control, transmission related ones like data integrity, protection, non repudiation…
So I fetched some real world solution to fill those needs, I found those for SOAP based web services:
- Identification: WS-Security Framework
- Authentication: Extensible Access Control Markup Language (XACML)
- Authorization
[LIST] - Extensible Rights Markup Language (XrML)
- XML Key Management (XKMS)
- Security Assertion Markup Language (SAML)
- .NET Passport
[/LIST]
- Confidentialité
[LIST] - WS-Security Framework
- XML-Encryption
- Secure Sockets Layer (SSL)
- WSS
[/LIST]
And almost all of them are implementable using spring-security
On the other hand RESTful web services having the reputation to be less secure. Being based on the web SSL/TLS is a great solution for encryption, but other security protocols do exist like:
- OAuth: used by facebook, twitter, without tokens exchange
- OpenID: used by google
- CAS
- LDAP, Kerberos
- Persona, BrowerID
Another solution may be to integrate the security in the enterprise bus as a service (Security as a Service)…
So my question is : Are there any other solutions i should know about? is there any other frameworks?
Thanks a lot