It seems some people are taking Web services security so serious. No you it is not a must to use WS-Security to secure your Web service communications. Most of the time the plain old SSL is enough.
If
- you are using http for communications
- message exchanges are always between two nodes and doesn't use multiple hops to go from source to destination
- not worried to encrypt only parts of the message. i.e. you want to encrypt the whole message
There are few advantages in using SSL over WS-Security. First its much simpler and easier. Most of the web container, like Tomcat or http implementations like httpclient supports https by default. You will have to do minimal changes to enable https.
And WS-Security might be complex and hard to get working.
So whenever your answer is "Yes" to all the three questions above, you are fine with SSL.
1 comments:
To your second question:
"message exchanges are always between two nodes and doesn't use multiple hops to go from source to destination"
I'm trying to imagine the requirement for a web-service which is consumed without going over multiple hops. Isn't there multiple hops going through the gateway/router/dmz/etc..?
Post a Comment