在内部专用网络上保护SOAP Web服务的最佳方法是什么? [英] What is the best way to secure SOAP web service on an internal private network
问题描述
如今,有越来越多的Web服务供内部使用,以将应用程序连接在一起.我们没有ESB来控制和保护此Web服务,因此我想有一种保护它们的好方法.
Today's there is more and more web services developed for internal use to connect applications together. We do not have an ESB to control and secure this web services so I guess on what is a good way to secure them.
我们尝试设置双向SSL,但是我们无法控制特定Web服务上的授权.
We have try to setup Two-Way SSL but we are not able to control the authorization on a particular web service.
我的需求是能够控制哪个应用程序正在调用我的Web服务,并且该应用程序有权调用它.
My need is to be able to control which application is calling my web service and is this application authorized to call it.
我不喜欢WS-Trust和Ws-Security,因为这会改变原始的SOAP消息,但似乎它们不是其他解决方案.
I don't like WS-Trust and Ws-Security because this alter the original SOAP message but it seems that they are no other solution.
有什么主意吗?
谢谢
推荐答案
在您的问题中,您提到您不想修改当前的SOAP消息-这意味着消息级别的安全性已消失.
In your question you mention that you do not want to modify the current SOAP message - that means message level security is out.
因此,您需要继续进行传输级安全性.
So you need to go ahead with transport level security.
即使使用两种方式的SSL,您也可以根据用户证书的指纹来授权用户-具体如何执行取决于您使用的堆栈.
Even with two way SSL you wil be able to authorize users based on the thumbprint of the user certificate - how to do that depends on the stack you use.
其他选项是..
- 基于HTTPS的基本身份验证
- 两足式OAuth
区别在于,两足式oauth支持不可否认性,而基本auth不支持.
The difference is, 2-legged oauth supports non-repudiation while basic auth does not.
无论您使用哪种身份验证机制,都可以使用XACML进行细粒度的授权...
Irrespective of the mechanism you use to authenticate, you can use XACML for fine grained authorization...
这篇关于在内部专用网络上保护SOAP Web服务的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!