Security for Spring Restful Web Services

Question

I am writing a Spring Restful Web Services Project. I need to write secure Web Services. For Security I am already using Spring Security+SSL, however now i need some securit

Answer 1

You basically have two patterns for REST security:

1. Encrypt and sign requests/responses at the application level and run over HTTP. This involves a significant amount of work as you need to canonicalize all data before signing and ensure the client/server follows exactly the same process. This approach was adopted in early versions of the amazon web service protocols.

2. Use SSL (possibly with client certificates). This is the preferred approach as there is no need to reinvent the wheel. SSL accelerators are available and performance will be significantly better than handling encryption and signing in your code.

Amazon have now moved to using SSL and you should do the same. This article gives a good comparison of the two approaches.

REST vs SOAP

You referred to SOAP and WS-Security which defines a protocol for encryption and signing at message (rather than transport) level. The reason WS-Security defines such a protocol is to provide end-to-end confidentiality, integrity and authenticity over a brokered SOA architecture. For example you may send a SOAP message from Service A to Service B which goes via C D and E. SSL/TLS works at a transport level and would therefore only protect the message between A and B. However REST is not intended for a brokered architecture so this approach is not applicable in your case.