[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: MUWS: Capabilties Security advice, Respond if you object.
The exposure of this information allows clients to understand the information used to uniquely identify the resource. This may allow a nefarious client to spoof the presence of the resource. This is particularly true if it is obvious how to generate or construct the resource ID from these properties. These properties should used and exposed with this risk in mind. Protect correlateable properties as much as resourceID.
2. Relationships
There is an assumption that the resources
are well behaved and creating relationships in good faith. Relationships
may also be out of date. Before relationships are relied upon, they should
be validated either manually or automatically. It should also be considered
if the resource being related should be visible for security reasons.
We should also add this to the assumptions
section:
· The
reader is familiar with WS-Security, WS-SecurityRoadmap
Heather Kreger
STSM, Web Services Lead Architect for SWG Emerging Technologies
Author of "Java and JMX: Building Manageable Systems"
kreger@us.ibm.com
919-543-3211 (t/l 441) cell:919-496-9572
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]