SOA Security

I read the entire book except for one appendix and I thought it did a good job of covering the theory of Web Services security and the details of Java-based implementations. I expect to reference this book in the future when I need to refresh my understanding of particular security standards. Here are the chapter and appendix titles:1. SOA requires new approaches to security2. Getting started with web services3. Extending SOAP for security4. Claiming and verifying identity with passwords5. Secure authentication with Kerberos6. Protecting confidentiality of messages using encryption7. Using digital signatures8. Implementing security as a service9. Codifying security policies10. Designing SOA security for a real-world enterpriseA. Limitations of Apache AxisB. WS-SecureConversationC. Attaching and securing binary data in SOAPD. Securing SAML assertionsE. Application-Oriented Networking (AON)I hope to see an updated second edition in the future that covers the following topics: JAX-WS / Metro code examples, SAML 2, JSR-196, and OpenSSO.

This is by far the best SOA/SCA Security reference I have come across. It is both a treatise on Architecture and Solutions Architecture. It takes the reader, novice or experienced on a structured journey thru the current and proposed standards landscape, outlines the intent of the standards, strengths and weakness's then proposes theoretical models that apply each with outlines and examples. If the book moves too slow for you, you can skip ahead to Part #3 and the Appendices, extracting what you need. The appendices and Part #3 also, refer back to prior examples of implementation and code to assist the reader to better understand the topics, concepts and applications. In our matrix'd teams, this is the absolute GO TO document to :...call the ball..." on the how. It is also relevant when working thru vendor sales presentations to separate the wheat from the chaf. It is by far the best Technical Book Dollar I have spent this year.

This book is great for beginners to SOA security. The examples are mostly in Axis from Apache. My background is with a commercial middleware and it took some imagination to translate the examples. Also, commercial security appliances like the Alcatel-Lucent web services gateway were left out completely.After reading this book, I might think that calling a service for security would suffice. The common thinking today is to abstract the security into a central location run by security experts. Most SOA developers don't have the time or the depth of knowledge about certificates, user-centric policies, or even XML threat management to re-invent common security patterns.Still the examples are solid and the concepts are important to know.

This is an extremely well written book. The topic is very technical but the book is easy to read and follow and does a great job of explaining the nuts and bolts of SOA Security. I also think the author did a great job of using relevant examples.

SOA and security, two terms very present and important in the enterprise development.Due to this and its title, this book sounds very promising. However, the authors reduce immediately the scope of the book in the introduction.Indeed, the book is not to explain the SOA architecture and concepts, neither all the security notions.The book is about the intersection of the two subjects and so a minimal knowledge of these is necessary. The book is aimed at an initiated public, but not an expert one.However, the book is well put together and interesting. It is composed of three parts.The first is a reminder of the basics of SOA and WebService security : SOAP Header SOAP, WS-Security.The second part presents the concepts of security: authentication, authorization, encryption, ... This section is particularly interesting. It introduces various practices (user / password, Kerberos, PKI), while describing their advantages and disadvantages.The last part is a little more complex and deals with real security-oriented service. Again, the different implementations of a security service are shown together with the technologies used for this purpose (SAML, WS-Trust, ...)At the end of the reading, we have learnt lots of information, however there is still a feeling of weakness on the subject. But once again, it's voluntary. Given the complexity of the issues, only the fundamentals are presented, but many links are provided for those who wish to deepen a specific topic.In terms of examples, an implementation based on Axis is provided at the end of the chapter. This is probably the only regret I have : Axis is a little old. However, the examples are explicit enough to be easily adapted with any other framework.This book is more than interesting, even if the title "Introduction to SOA Security" would have been more representative.

I bought this book with lot of expectations but this book FALLS SHORT on providing design and implementation guidance. I likes the introductory coverages and to me it is more like reading Web services security around SOAP and WSDL standards. All I found is about using few Apache Axis samples. It is disappointing to note that this book fully ignored to use standards and technologies such as PKI, SAML and XACML (and its interoperability Profiles), WS-Federation, WS-Trust and related WS-* standards and it's role in SOA based solution archiecture. The authors completely forgot to discuss the core SOA security complexities involved with composing Secure SOA services, securing BPM Workflows, Web services based collaborations, single sign-on and entitlement issues with BPM portals and federated services.I do agree the introductory part of the book (Chapter 1-2) is a good read beyond that I noticed the book suffers with poorly edited content and it contains highly repetitive content.

excellent ouvrage même si date un peu au niveau des open source illustrant les exemples, très pédagogique.Principes de sécurité et normes WS Security expliquées en détail.