tag:blogger.com,1999:blog-5239535491482352731.post5197762571882918733..comments2023-07-17T15:55:27.867+03:00Comments on Tarlog on Java: How to use SAML with REST Web ServicesUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-5239535491482352731.post-88308586252361142612014-12-23T01:38:34.528+02:002014-12-23T01:38:34.528+02:00Why would you want to send the a response in the W...Why would you want to send the a response in the WS call and not just the SAML Assertion as in the case with SOAP WS-Security?Stefan Rasmussonhttps://www.blogger.com/profile/11098606661319757797noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-39411039272389228912012-11-26T10:18:17.937+02:002012-11-26T10:18:17.937+02:00Thx a lot!!Thx a lot!!grzesiekhttps://www.blogger.com/profile/06888666721771219430noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-68787520757791619732012-11-24T15:33:50.572+02:002012-11-24T15:33:50.572+02:00Btw, did you ever think why SOAP needs the WS-Encr...Btw, did you ever think why SOAP needs the WS-Encryption, while REST usually relies on SSL?<br /><br />The reason is that SOAP is transport independent. It isn't used only with HTTP, but also with JMS or even MAIL protocols (e.g. smtp). So when using SOAP, you cannot rely on the transport for security.<br /><br />But when using REST with HTTP, you can fully rely on HTTPS.Tarloghttps://www.blogger.com/profile/13975169847288972544noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-27394138689022874682012-11-24T15:28:31.187+02:002012-11-24T15:28:31.187+02:00Using a proprietary encryption mechanism can be ef...Using a proprietary encryption mechanism can be effective only if you pass large chunks of data, while only parts of them are encrypted (for example think about an order that contains a lot of items, but only a credit card need to be encrypted). I can hardly believe that a proprietary encryption will be as effective as SSL, if you encrypt the whole data.<br /><br />Also, an encryption from the JS won't be a very good idea. There are some libraries [1] that implement encryption in JS, but they are quite slow. Also I'm quite not sure how are you going to keep the keys secured, unless you use SSL. And, well, we are back to the SSL solution, so you don't need a proprietary solution. <br /><br />[1] http://code.google.com/p/crypto-js/Tarloghttps://www.blogger.com/profile/13975169847288972544noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-35386960604696828082012-11-24T15:06:57.177+02:002012-11-24T15:06:57.177+02:00thx for your answer. could you explain why encrypt...thx for your answer. could you explain why encryption on my own make sense only for small parts of data?<br />In my case user client is a http+js+jQuery and rest ws is in c#. any idea how could i organize encryption on my own? I know that if both sides of communication would be in java (or c#) i could use handlers (or c# hadnler equivalent) to encrypt whole traffic from client to ws and to decrypt this traffic on ws side. in opposite direction analogously. but how i can make it in js?grzesiekhttps://www.blogger.com/profile/06888666721771219430noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-77732363255205096962012-11-23T16:03:07.392+02:002012-11-23T16:03:07.392+02:00@grzesiek
Except of using TLS (SSL), there is not...@grzesiek <br />Except of using TLS (SSL), there is nothing standard I know about.<br />Of course you can encrypt the data yourself.<br />But I guess it makes sense only if you encrypt only small parts of the data, otherwise SSL should be a better choice.Tarloghttps://www.blogger.com/profile/13975169847288972544noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-75686425165724868282012-11-23T14:58:27.103+02:002012-11-23T14:58:27.103+02:00This comment has been removed by the author.grzesiekhttps://www.blogger.com/profile/06888666721771219430noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-54070875115109229392012-11-23T14:57:27.875+02:002012-11-23T14:57:27.875+02:00So I can use SAML with REST Web Services to authen...So I can use SAML with REST Web Services to authenticate myself in REST WS but how can I achieve confidentiality for communication between user(client) and REST WS. With SOAP I could use WS-Security (XML Encrytion and XML Singature) and WS-SecureConversation (to bind session key from SAML with SecureContex) and later encrypt communication between user and WS according to this contex. Is there a way to do the same (similar) thing with REST WS or am I forced to do it "lower" and use SSL(https)? Basiclly is there a different way to encrypt communication between user and REST WS then SSL?grzesiekhttps://www.blogger.com/profile/06888666721771219430noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-25909728270656242842011-02-18T20:38:19.769+02:002011-02-18T20:38:19.769+02:00@karla
Actually it's the same as putting it in...@karla<br />Actually it's the same as putting it in custom header, since it's not a standard.Tarloghttps://www.blogger.com/profile/13975169847288972544noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-17585210715001878082011-02-18T17:33:12.893+02:002011-02-18T17:33:12.893+02:00why not put the SAML response in the Authorization...why not put the SAML response in the Authorization parameter of the http header?kanchannahttps://www.blogger.com/profile/10064047498460052304noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-35348437208409910412009-11-19T21:43:27.360+02:002009-11-19T21:43:27.360+02:00Hi Matt,
Thanks for your comment.
Of course it&#...Hi Matt,<br /><br />Thanks for your comment.<br /><br />Of course it's possible to put SAML in a custom header. The only problem you mentioned yourself: there is a need to agree on a header name. While if you use URL binding, all parameter names are already defined for you. So it's "almost standard".<br /><br />I think that in cases where URL cannot become too long, it's better to use URL binding.<br />While in other cases there is a need to use a custom header.Tarloghttps://www.blogger.com/profile/13975169847288972544noreply@blogger.comtag:blogger.com,1999:blog-5239535491482352731.post-51579690749119681572009-11-18T23:07:27.488+02:002009-11-18T23:07:27.488+02:00Why not put the SAML response in the http header? ...Why not put the SAML response in the http header? Most people developing REST clients are already familiar with headers. We would have to agree on a key, but that has to be done anyways with URLs.Unknownhttps://www.blogger.com/profile/06695053314799000063noreply@blogger.com