Agreed. I was not thinking in terms of DoS attacks when I replied, more in terms of authentication and authorization. All three (DoS, authentication, authorization) are very distinct problems.
My apologies Nicolas if I caused any confusion. -----Original Message----- From: Ricky Ho [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 2:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Web Service Model - Security Issues I think we should separate "security" from "DOS" attacks. The current web services standards has sufficient "technical" coverage in security, it is a matter of rate of adoption. DOS attack is different. In fact, by looking at the complexity in security processing, the hacker doesn't need to simulate many clients to bring down a web services site. Rgds, Ricky At 02:02 PM 1/28/2003 -0500, Anderson Jonathan wrote: >You just asked yourself several million dollar questions. > >First, Web Services are ever evolving, and it seems to me that there are way >too many standards and standards bodies out there. So you're not alone. >Second, Apache Axis implements SOAP 1.1, and security is beyond the scope of >the SOAP specification. There are several groups right now addressing Web >Service Security - my advice is to check out the Microsoft/IBM/VeriSign >camp's WS-Security Specification. http://www.oasis-open.org/committees/wss/ > >VeriSign has their "Trust Services Integration Kit" v1.7 out at >http://www.xmltrustcenter.org/index.htm which includes a Java implementation >of WS-Security, but it won't play nice with Axis because VeriSign >implemented their own SOAP messaging API in it. > >I'm currently implementing WS-Security via Axis myself, using .Net clients >to consume the services (Microsoft has their own WS-Security implementation >in their WSE 1.0 add-on pack to the .Net Framework). > >If anybody knows of a better way, please drop me a line. > > -Jon > > >-----Original Message----- >From: Nicolas Dinh [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, January 28, 2003 1:45 PM >To: [EMAIL PROTECTED] >Subject: Web Service Model - Security Issues > > >Hi, >I'm still quite new to all of this. But from what I understand, one of the >main goals of using a Web Service Model is to essentially make its interface >universal and accessible to anyone. >How does one protect one's Web Service from malicious attacks. One that >comes into mind and can be done quite easily is flooding a Web Serice with >SOAP calls. If the scope of the AXIS Web Service is per request, then the >Web Servicee object is instantiated every time a SOAP call is made and can >put quite a load or even crash the server that is hosting the Web Service? >Regards, >Nicolas Dinh
