358 Patterns: Implementing Self-Service in an SOA Environment
Figure 10-42 Point-to-point security with HTTPS
Here are a few simple guidelines to help decide when transport-level security
should be used:
No intermediaries are used in the Web service environment.
With intermediaries, the entire message has to be decrypted to access the
routing information. This would break the overall security context.
The transport is only based on HTTP.
No other transport protocol can be used with HTTPS.
The Web services client is a stand-alone Java program.
WS-Security can only be applied to clients that run in a J2EE container (EJB
container, Web container, application client container). HTTPS is the only
option available for stand-alone clients.
Bus security
The service integration bus provides facilities for secure communication between
service requestors and the bus (inbound to the bus), and between the bus and
any target Web services (outbound from the bus). Security in the bus can be
applied at a number of different levels.
Web services security (WS-Security) in the bus
HTTP endpoint listener authentication
Operation-level authorization
Using HTTPS with the bus
Proxy server authentication
For more details on how to implement the above security levels in the bus, see
Chapter 22 of WebSphere Version 6 Web Services Handbook Development and
Deployment, SG24-6461.
10.8.2 Web Services Gateway
If you are deploying the application using Network Deployment, you have the
option to deploy your Web services through IBM’s Web Services Gateway. This
option is not available for standalone server environments.
Web service
client
Intermediary
Web service
server
Security Context
Security Context
HTTPS
HTTPS
Get Patterns: Implementing Self-Service in an SOA Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
