ITworld.com
  Search  
ITworld Home Page ITworld Webcasts ITworld White Papers ITworld Newsletters ITworld News ITworld Topics Careers ITworld Voices ITwhirled Changing the way you view IT
There's More to Using SOAP Than You Think SOAP-DSIG provides sender authentication and non-repudiation services
JAVA IN THE ENTERPRISE --- 08/20/2002

David Wall

We've talked frequently about Simple Object Access Protocol (SOAP) in this column. After all, it's central to communication among the objects that make up distributed applications, particularly in a Web Services environment. We've not, however, given much coverage to SOAP Security Extensions: Digital Signature (SOAP-DSIG). 

On this topic
Get practical tips, IT news, how-tos, and the best in tech humor.
The Problem with Business Software & How Visualization Can Fix It
Application Composer shows promise
iPlanet adds to J2EE toolkit
WebGain furthers component reuse strategy
CeBIT: App-server makers roll out J2EE offerings
Some users slow to adopt Enterprise JavaBeans

As you might conclude from the name of the technology, SOAP-DSIG defines a SOAP message with a digital signature attached to it. As with other things (such as electronic mail messages) that can be digitally signed, SOAP-DSIG messages have the advantage of being relatively safe from tampering (altering the contents of a message en route to its recipient), replay attacks (sending malicious subsequent copies of an originally legitimate message), and spoofing (sending a message that appears to be from some source, when it's in fact from another).

Those capabilities go well beyond what's possible under Hypertext Transport Protocol (HTTP) with Secure Sockets Layer (SSL) encryption. SSL does indeed prevent en route tampering with transmitted information, but SSL is really best at what it was designed to do: Protecting dialogs between Web clients and Web servers in which large volumes of information are exchanged. It doesn't provide proof of authorship (authentication, in other words) or non-repudiation (in which a sender claims later, truthfully or not, to have not sent a message that appears to have come from him).

Key to the enhanced authentication and non-repudiation capabilities of SOAP-DSIG is its use of public key encryption. This contrasts with SSL, which uses a private secret that's shared between the two communicating parties for encryption. Public key encryption requires more work, but it provides a greater set of features.

SOAP-DSIG is implemented by adding a <SOAP-SEC:Signature> element to the SOAP envelope. After encapsulating the SOAP message in an HTTP frame, you can SSL-encrypt the lot for protection against tampering and unwanted observation.

 

 David Wall works as a freelance writer, programmer, lecturer, and consultant. Based near Washington, D.C., David has written and co- written several books, including Graphics Programming with JFC. David can be reached at David.Wall@itworld.com.
Advertisements
Sponsored links
Bring harmony to your mix of UNIX-Linux-Windows computing environments
KODAK i1400 Series Scanners stand up to the challenge
Top 5 Reasons to Combine App Performance and Security
Locate Hidden Software on business PCs with this free tool
Home  Newsletters JAVA IN THE ENTERPRISE
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Industry Standard   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.