Writing Secure Web Services (with Java and Axis)

Web Services are message-oriented. This means that any application intention (the need for security, for transactionality, for reliability, etc.) must be
included in the message and not just assumed as external context. The WS-Security specifications are very advanced and currently being used in the wild to create robust, secure web services.

This session will examine these specifications, including:

• WS-Security
• WS-Policy - for sharing enforcement and encryption strategies
• WS-Privacy - for agreeing on privacy policy for service usage
• WS-Encryption - for encrypting or signing all or part of a message
• WS-Trust - for creating a single-sign-on solution
• WS-Federation - works with WS-Trust

These specifications, plus others like WS-Addressing and WS-Notification, provide a platform for communicating security intent across multiple network
layers and many platforms. Of course, these specifications only define modifications to the messagapplication author. We will demonstate these capabilities using the Axis toolkit and the J2SDK.

About Justin Gehtland

Justin is the co-founder of Relevance, a consulting/training/research organization located in the Research Triangle of North Carolina. Justin has been developing applications with static and dynamic languages since 1992. He has written code with Java, .NET, C#, Visual Basic, Perl, Python and Ruby. He loves to talk, especially in front of people, but all by himself in the corner if he must. Justin is currently focused on: Rails (because its the law), Spring (because Java isn't going anywhere) and security (because paranoia is your friend).

More About Justin »