I am writing a Spring Restful Web Services Project. I need to write secure Web Services. For Security I am already using Spring Security+SSL, however now i need some security for encryption and message signing. I know how to encrypt the message from code, however i am looking for a mechanism to enable automatic encryption/decryption and message signing.
I have been searching for different alternatives for security including spring WSS and others but most of them are for SOAP. Could some one suggest me some better security mechanism and a link for the same.
There are multiple ways to secure your restful webservices, unfortunately there are many links which provides information to secure a soap web services, but as restful gaining popularity, it is of utmost necessity to find a way to secure and to find a way to manage sessions of your restful web service.
So to secure my Spring MVC with restful support, You need to atleast consider for three Aspect
1) Authentication. -- For Authentication Spring Security can be used.
2) Authorization. -- For Authorizing a request OAuth can be used.
3) Securing the communication. -- SSL can be used to secure the communication channel.
4) Encryption -- Again Oauth can solve the purpose
5) Message Signing. -- Again Oauth can solve the purpose
So , to secure a restful webservice spring security + OAuth can be used. The other security mechanisms which can be used are Http Basic Security and Digest Security.
Here is a very good example securing a spring restful webservice with spring security:
http://java.dzone.com/articles/securing-restful-web-service
Also to use spring security in conjunction with OAuth you can follow this tutorial:
Spring security with OAuth
You basically have two patterns for REST security:
Encrypt and sign requests/responses at the application level and run
over HTTP. This involves a significant amount of work as you need to
canonicalize all data before signing and ensure the client/server
follows exactly the same process. This approach was adopted in early
versions of the amazon web service protocols.
Use SSL (possibly with client certificates). This is the preferred
approach as there is no need to reinvent the wheel. SSL accelerators
are available and performance will be significantly better than
handling encryption and signing in your code.
Amazon have now moved to using SSL and you should do the same. This article gives a good comparison of the two approaches.
REST vs SOAP
You referred to SOAP and WS-Security which defines a protocol for encryption and signing at message (rather than transport) level. The reason WS-Security defines such a protocol is to provide end-to-end confidentiality, integrity and authenticity over a brokered SOA architecture. For example you may send a SOAP message from Service A to Service B which goes via C D and E. SSL/TLS works at a transport level and would therefore only protect the message between A and B. However REST is not intended for a brokered architecture so this approach is not applicable in your case.