Please can anyone explain briefly about concepts involved in WS security to protect soap from intermediate web services...
WS-Security does not implement anything new. It says how to use XML Encryption and XML Signature specifications in the SOAP world.
WS-Security is transport independent and provides message level security.
Since it's message level security - when we use encryption the message will be encrypted from a key known to the ultimate receiver, so intermediaries cannot view the message.
Thanks...
It is difficult to provide a simplistic answer unless we know what you are interested in (as Tim mentioned in his comment)
Have a quick read at this to get an idea.
http://www.ibm.com/developerworks/webservices/tutorials/ws-understand-web-services4/
This is not the only reference but think of it as a place to start.
Once you have an idea you will able to ask specific questions and the folks here would be able to help you out with their answers
HTH
Manglu
JSR 109: Implementing Enterprise Web Services
... is also an interesting read. the doc has some further references on the topic.
Related
My client suggests that implementing a web service using WS-Policy entries inside the WSDL (using WS-SecurityPolicy standard, which seems to be the recommended way) might cause incompatibility issues with clients that call the web service. My first question is, are his concerns correct? If not, how can I prove to my client that it is safe to use WS? I could not find anything on the subject.
If compatibility issues can indeed occur, I need to find a different way to implement WS-Security requirements (like signing parts etc.) without Spring, using JavaEE APIs. I could not find anything on that subject either. The only thing I could find is about standalone web services but I do not want that, I want a web application and I need to use JavaEE APIs (so no Spring).
Any help will be appreciated.
If you have pre-existing clients already using this webservice, then yes it will break compatibility if you add WS-Security.
But if no one is using it, or it hasn't been developed yet, how will this cause compatibility issues?
Personally I see WS-Security as rather complex, particular in the area of signing and encryption, so if your client had said that some clients might not have the skills to implement the web service I would have been inclined to agree with him.
I have a question regarding authorization for SOAP services. Please note I am asking for authorization, not authentication which I know how to do using WS-Policy specification.
What I would like to do is to define access rights for different SOAP operations. For example: getMeSomeData operation is accessible to simpleUser but getMeSomeSecretData operation is not, but it is accessible to adminUser.
I was assuming this is possible since SOAP standard is quite complex. Is there anyone well oriented in SOAP who knows if it is? And if it is possible, could you give me any guidance or article I could read about how to do it?
Based on my extensive googlig, this is not possible.
About the only way to do this would be with some kind of server integration with whatever the back-end of the soap may be. But this wouldn't be a soap functionality as much as a 'hack' sitting behind it using whatever your authentication layer may happen to be.
Which approach (Contract-First/Code-First) should be used when creating Web services with Apache Axis2? If I choose the contract-first approach, which tool should I use to create wsdl? I am using the WSO2 platform.
Contract-first is the best approach IMHO. The reason is quite simple. When you code first and generate a WSDL, it might change. This may cause problems for other teams working on client code based on that WSDL.
In case of contract first, the WSDL will always be the subject of discussion between teams, and it will not just change because of code changes, but only when all parties agree.
It is best to use versioning in it as well.
You can create a WSDL in Eclipse, which also has excellent checks (requires internet access).
Definitlety contract first.
Interfaces are the way to go for strong typed web services.
I thought to practice SOAP API. I know it is a time for REST but I thought to give a try to SOAP. I somehow got Flickr.com API supporting SOAP but it has very difficult documentation. No, working examples are available.
Q1. So, do anyone know where I can learn SOAP. Do anyone has SOAP working example for Flickr API
Q2. Any service other than Flickr providing SOAP interface. I saw Google search api has closed new request for SOAP.
regards
SOAP has been largely superseded by REST on the public Internet - as you have noted in your question and has been alluded to in comments.
There are still large users in the Intranet context, companies with an installed base of SOAP, Service Bus, and other concepts that you may well come across if you end up working at one of them. (There are still CORBA users out there also!) When you control both ends of the application, you may have less reason to be flexible using REST.
So if you are looking for useful public implementations you are mostly out of luck.
That said: do create your own services and try them out on your own. Define a service and implement it. Create a client in a different language. Create another client in a third language.
If you are looking for an educational experience, this will lead you down some of the same paths that has lead to REST use in wide-scale disparate systems (and may also shed light on why the public/private has split the way it has)
Good Luck
I know what is soap,wsdl and uddi.
But what is the relation between them and how to establish the relationship in code.
It will be good if someone can post a sample code which has all of these.
Thanks in advance.
SOAP is the XML-based protocol used to send and receive web service messages. WSDL is the XML-based language used to describe the format of the messages, and the details of the interaction with the service.
UDDI is not used very much. It sounded like a good idea at the time it was invented, but turned out not to be useful.