Friday, March 31, 2006

Introduction to Web Services Security

Although the basic standards for web services are of great use for a lot of different scenarios, they do lack some features that are required in most real world applications, e.g. standard ways for handling security and authentication. These features are currently under development in various standardization initiatives, and some have just surfaced as standards. One of them is WS-Security, which is an OASIS standard.

Formerly Web Services authentication was something that you would have to implement yourself in your application.

Furthermore you would need to apply transport based security to guarantee confidentiality of the data communication, if your web service exchanged data over the wire that is confidential.

Earlier SOAP implementations mainly used HTTP as the transport protocol, so the assumption was made, that the security could also be based on HTTP and thus Web Services could be secured by using SSL/TSL and Basic Authentication.

Consequently SOAP does not contain any security elements itself, but instead leaves this to be handled by a combination of transport security and custom authentication implementations.

Nowadays SOAP implementations use other protocols than HTTP in an increasing level, so the need to apply security to the messages exchanged has become very important.

Also, SOAs are designed to be a number of interconnected nodes / applications that sometimes communicate through other systems, which makes point-to-point security mechanisms as SSL/TLS inadequate

No comments:

Post a Comment