You just asked yourself several million dollar questions. First, Web Services are ever evolving, and it seems to me that there are way too many standards and standards bodies out there. So you're not alone. Second, Apache Axis implements SOAP 1.1, and security is beyond the scope of the SOAP specification. There are several groups right now addressing Web Service Security - my advice is to check out the Microsoft/IBM/VeriSign camp's WS-Security Specification. http://www.oasis-open.org/committees/wss/
VeriSign has their "Trust Services Integration Kit" v1.7 out at http://www.xmltrustcenter.org/index.htm which includes a Java implementation of WS-Security, but it won't play nice with Axis because VeriSign implemented their own SOAP messaging API in it. I'm currently implementing WS-Security via Axis myself, using .Net clients to consume the services (Microsoft has their own WS-Security implementation in their WSE 1.0 add-on pack to the .Net Framework). If anybody knows of a better way, please drop me a line. -Jon -----Original Message----- From: Nicolas Dinh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 1:45 PM To: [EMAIL PROTECTED] Subject: Web Service Model - Security Issues Hi, I'm still quite new to all of this. But from what I understand, one of the main goals of using a Web Service Model is to essentially make its interface universal and accessible to anyone. How does one protect one's Web Service from malicious attacks. One that comes into mind and can be done quite easily is flooding a Web Serice with SOAP calls. If the scope of the AXIS Web Service is per request, then the Web Servicee object is instantiated every time a SOAP call is made and can put quite a load or even crash the server that is hosting the Web Service? Regards, Nicolas Dinh
