Understanding Security Management in Web ServicesWith the increasing popularity and demand of performing business transactions over web, it has become a necessity to create efficient as well as secure web applications. There should be efficient security management so that client’s sensitive data could be saved from the malicious attacks and other threats. So security management is very crucial aspect while developing a web application. In a J2EE application, we use security features that run in the JVM itself. A security manager object can be implemented in the application which can utilize the security features of JVM. For creating secure applications, all programs within the application should obey some rules.
These rules
are also called permissions. In addition to the default JVM security features
there are some java packages also which provide security features within
an application. These are java.security package and javax.crypto package.
Security API has Java Cryptography Architecture (JCA) and crypto API has
Java Cryptography Extension (JCE). Both of these implement different cryptographic
algorithms to enforce security in the application. Digital signatures
and certificates are other means of implementing security features. We can correlate
the security in web services with the security provided by operating systems.
In operating systems we have users, roles and group of users. Also in
web applications, a user is assigned login id and password for the authentication.
But this method of form based authentication is not capable of providing
high degree of security, because id and password are transmitted over
internet in an unencrypted format. So to ensure secure transmission, SSL
is used. SSL stands for Secure Socket Layer which uses data encryption
techniques and also private and public keys for avoiding the risk of decoding
by hackers. Now we will
discuss about the cryptographic techniques of providing security from
the programming point of view. In java Security API we have different
classes and interfaces which implement a secure framework for the application.
Let us discuss some them to understand the actual security implementation
within the program. We have class
AcsessController which controls the decisions about access permissions.
Some of the other classes are Permission, Policy and Provider. Permission
and Policy are abstract classes which represent access to system resources
and system security policies respectively. Provider
class represents a ‘provider’ which will actually implement
security in an application. There is another class Signature which implements
digital signature algorithms. There are some interfaces also like Key
and Principal which provide the interface to all keys and entities (like
a user id) respectively. So to achieve
high degree of security in an application we have to use the programmatic
security techniques also in addition to the security features of JVM.
It would be good to discuss some methods too which implement the programmatic
security. There is method getRemoteUser() which provide the remote user
name. Next is getUserPrincipal() which provides the principal user object.
Tweet
_______________________________________________________________________ _______________________________________________________________________
FREE
Subscription
Subscribe to our mailing list and receive new articles Note
: We never rent, trade, or sell my email lists to Visit
.NET Programming Tutorial Homepage ______________________________________________________ |
