Overview of Message Security

Java EE security is easy to implement and configure, and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and only protect data while it is residing in the application environment. In the context of a traditional application, this is not necessarily a problem, but when applied to a web services application, Java EE security mechanisms provide only a partial solution.

The characteristics of a web service that make its security needs different than those of other Java EE applications include the following:

Some of the characteristics of a web service that make it especially vulnerable to security attacks include the following:

Additionally, the distributed nature of web service interactions and dependencies might require a standard way to propagate identity and trust between application domains.

There are several well-defined aspects of application security that, when properly addressed, help to minimize the security threat faced by an enterprise. These include authentication, authorization, integrity, confidentiality, and non-repudiation, and more. These requirements are discussed in more detail in Characteristics of Application Security (page 861).

One of the methods that can be used to address the unique challenges of web services security is message security. Message security is discussed in this chapter which includes the following topics: