There are many, many choices for securing web services -- though many of them don't really work well unless you're rolling your own WS from scratch.
The big set of standards proposed by MS, BEA, IBM, RSA, SAP, and Verisign are discussed here:
http://www.webservices.org/index.php/article/articleview/823/1/65/
But there are several other proposed standards and mechanisms for securing web servers
http://www.webservices.org/index.php/article/archive/65
I'm not a security guru, but considering the SOAP messages we send are wrapped with header's secured by a digital certificate issued by the receiver, I'm not too concerned right now about authentication :)
The WSSE (web service-security) extensions were pretty straightforward to implent in Java. I just wrote a few Java classes that are invoked from ColdFusion that handle creating and sending the messages securely. Would have like to simply use CFINVOKE, but the security wrapper was more important (and required).
Regards,
John Paul Ashenfelter
CTO/Transitionpoint
[EMAIL PROTECTED]
----- Original Message -----
From: Michael Dinowitz
To: CF-Talk
Sent: Thursday, October 02, 2003 5:51 PM
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the ones
that allow logins. Basically, a username/password is sent to the service and it
responds with data if the person is a valid user. What stops someone from using
the web service again and again to test a un/pw until they get the right one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN tries
hidden communications key in stream - can be 'seen' (combined with SSL might
work)
--
Michael Dinowitz
Finding technical solutions to the problems you didn't know you had yet
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
