Updates
Latest Tweet
What's New?
Check out for latest innovation, a computer based training video collection
Like this Page
Mastering Web Services Security Review by anonymous
An EASI read, with some gaps
This was the first Web services security book which I've read. Overall my impression on this book is pretty positive. Here are my thoughts on this book:
- The writing and examples are clear. The glossary is a nice touch. The book avoids spending much time on a "101 of Web services" section, and that's probably a good thing, since plenty of books cover that already. Plus, anyone who buys this book will know the basics of Web services already.
- Much of the book focuses on applying the Quadrasis "EASI" security framework to Web services, unsurprisingly I guess since the four authors all work for Quadrasis. Some of the code examples require an instance of the EASI framework to work, which is limiting to people who are not using Quadrasis software (I don't think there is anyone else with product which implements the EASI framework). For examples of authentication and authorization in Java, i'd prefer to have seen JAAS used. I think the book would have been more accurately named "Mastering Web Services Security using the EASI Framework".
- Any book on Web services security right now is going to be a picture of a moment in time, because of the evolving standards in this area, e.g. information about timestamps and nonces in WS-Security isn't included, so probably the book was written before the WS-Security Addendum was released. Ditto WS-SecureConversation, WS-Policy, and WS-Trust - most likely published after this book was written. I'd like to have seen this information, plus concrete information about SAML assertions in SOAP messages, in the book.
- XKMS is missing from the book. This was a big surprise, since like most people, I'd see XKMS as a fundamental Web services security technology. Also, XACML only gets a half a page.
- The sections on the IIS web server are very strong.
- Netegrity SiteMinder is covered, but Netegrity TransactionMinder is not. This was a surprise.
So overall, this book is strong on the EASI framework, and is well written. If you think you're likely to use EASI for your Web services security, I'd definitely recommend it.