Overview of web Service Security
1. Wire-level Security
1) The client and Service need insurance for client and service sides
2) the sent data need be encrypted
3) the data should be integrity. The send data should be the same as the received data.
2. Authentication and Authorization
For Authentication, we need some credential information, like username and pin
For Authorization, if the user has passed authentication, you could get access the resource based on his role
HTTPs(Hyper text transport protocol over Secure Socket Layer), for now SSL has been renamed to TLS(Transport layer Security). But they differ in version number and 一些技术细节。
Https provider three critical security service over the transport services that HTTP proivdes
a. Peer Authentication -- mutual authentication or mutual challenge.
b. Confidentiality - make the sent messages secrit by encrypting technology
c. Integrity - the sent and received message should be same, if not, the difference should be detected
Peer Authentication ---it is finished by exchanging the certificates, But in many cases, it is only the client that challenge the server.
eg> 1>The customer's browser chanllenge the vendor's web server to authenticate itself and the
the server response by sending one or more digital certificates to the browser.
2>The browser check the web server's digital sertificates against the brower's trust-store which is a database of digital certificates that the browser trusts.
3> the server typically does not chanlllenges the browser.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="123456" />
"clientAuth" is set to false, which tell tomcat does not chanllenge the client.