1

I've done some searching and found lots of answers that don't quite give me what I'm looking for, so here goes.

Firstly I'm looking into an area I'm not really familiar with, so go easy on me if the answer is obvious.

I'm looking for a framework (ideally java based) that I can use to wrap the business logic of my current web application to accept secure communications from external applications over the web (authentication of the source of the request, and secure passing of credentials), and serve up content.

Someway back in time about 4 or 5 years ago I was looking at Axis 2 for some internal intranet based communications, and looking at it again it seems there are security modules you can use to extend it to give the security I want, but I'm wondering if there is an alternative to also consider.

Speed is a potential requirement; the content is text and metadata in XML format and could potentially be up to 10 or 20Mb in size, but more often less than that.

Thanks in advance

Scribe74
  • 45
  • 1
  • 1
  • 3

2 Answers2

0

IMHO your question is too vague.
Concerning security and since you mention Axis2 you could use web service calls over https.
I assume that concerning the security modules, you are referring to WS-Security specs.
You can look into these.
For authentication purposes, if you go for web services, you could see the answer here: secure web services on glassfish
The answers mentions also some security notations but I am not familiar with these.
Hope this helps

Community
  • 1
  • 1
Cratylus
  • 52,998
  • 69
  • 209
  • 339
0

Using a web service framework and web service security would be a natural choice. The web service standard is supported by a wide range of platforms wich may be important if you are going to support different types of clients. The web service security model is also wide spread. You may use Axis, but today I would prefer Apache CXF. http://cxf.apache.org/docs/ws-security.html.

You may also use web services over two-way ssl. This would require you to issue ssl client certificates. It is a more "basic" approach and you would probably have to define access rules in both your web server/application server and authorization code in java, but ssl is even more mature than web service security.

A third way is to simply use web services over one-way ssl and secure each web service call with a username and password or other proprietary scheme.

Which strategy to choose depends heavily on the capabilities of your clients in my opinion.

sstendal
  • 3,148
  • 17
  • 22