Brian,
If manager #1 has given you some examples to back his "insecurity" claim up, please share it with the group. You'll probably get better advice if there are some specific issues to discuss on. What is the concern here - is it the transport over the network, marshaling/unmarshaling, persistence or something else?
If there is nothing to justify his paranoia of insecurity, no pearl of wisdom can help him.

Regards,
Abhijit

On Mon, Jul 25, 2011 at 3:53 PM, Bill Burke <bburke@redhat.com> wrote:
The majority of web services are interactions from 1 client and server.
 In this scenario a RESTful service using HTTPS is just fine.  Many
SOAP based apps leverage HTTPS as well to encrypt traffic and even for
authentication if they are using SSL Client Certificate authentication.

Really, if your apps are interadtions between 1 client and 1 server
(most apps), you can pretty much leverage any servlet-based security
mechanisms.  Complex authentication mechanisms like SAML have HTTP
bindings that are being using with RESTful apps.

Where you might run into issues is if you have a complex distributed
application where you are trying to coordinate multiple services.  IMO,
this is more of a management and deployment issue than a protocol
problem.  I don't think their optimal protocols, but OAuth and OpenID
work too..  Formats like S/MIME can be used to sign/encrypt message
bodies.  XML signature/encryption can still be used as well.

IMO, its pretty easy to fight against your manager:  Tell him it will
cost $X dollars and extend your deadline by Y time.  Show him that your
RESTful services will be using the same exact technologies to secure
themselves as your SOAP-based ones (I'm assuming he wants you to move to
SOAP).

And, let us know how it goes.

On 7/25/11 3:26 PM, Brian Mauter wrote:
> Hi.  I apologize in advance for this question, but I'm hoping you all can give me some insight.
>
> I believe I've got an upper level manager who is spreading FUD, which most likely originated from some salesman from a contracting firm.  The statement is simply that "REST is insecure".  This is hard for me to comprehend since it doesn't seem that REST is any more secure or insecure than any other web technology.  After all, isn't REST really just a set of ideas and guidelines?  Isn't the daily use of the Internet very similar to the principles of REST?  If there really are security concerns, wouldn't be with a particular implementation?  What part is insecure--the data traveling over the wire or the marshaling of data from XML/JSON to Java types?  If REST is insecure why are there very large companies embracing it like JBoss, RedHat, Microsoft, IBM, Yahoo, Google, Oracle, et al?
>
> At work, we have already built a very snazzy REST-based web service using RESTEasy.  We have also built iOS and Android apps that talk to it.  It works great.  The performance is very reasonable and I feel confident in HTTPS that my service is secure.  All of the JDBC calls on the backside use prepared statements so I feel like we're reasonably secure from an application standpoint as well.  I have a servlet Filter in front of RESTEasy that handles authentication.  We add the mobile's unique device IDs as an HTTP header to every single request and my Filter checks that that device ID is found in our table.
>
> I have been tasked (by another manager) to do some homework and find out what manager #1 could possibly be talking about.  I've tried Googling for answers, but I'm not seeing anything.
>
> I really want to continue programming our REST service and the mobile apps.  I'm afraid that no matter what I find though, since this wasn't manager #1's idea, its days are numbered.
>
> Thanks in advance,
> -Brian
> ------------------------------------------------------------------------------
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property that
> has been used successfully in hundreds of IBM storage optimization engage-
> ments, worldwide.  Store less, Store more with what you own, Move data to
> the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Resteasy-developers mailing list
> Resteasy-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/resteasy-developers

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Resteasy-developers mailing list
Resteasy-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-developers