Many firewall configurations have filtered IP ports that block client applications from invoking applications and EJBs using RMI and RPC. Web Services applications, on one hand, address firewall filtering features by utilizing the default IP port 80 or port 8080 and decoupling the data transport from the physical transport layer. On the other hand, they also open up new areas of security integration requirements, including key management, digital signature generation, authentication between trading partners , and application host (Solaris or Windows) security hardening. Architects and developers may overlook some of these security areas because they usually focus on the SOAP message security alone.
WS-Security is a new security specification proposed to W3C from IBM, Microsoft, and VeriSign. The design objective is to provide a consolidated security framework to accommodate different security tokens (such as X.509v3 and Kerberos ticket), trust domains, multiple digital signature formats, and encryption technologies. It is intended to supersede the previous SOAP-SEC, WS-Security, WS-license, and various security token and encryption mechanisms.
Network identity management with Single Sign-on is the key attraction for B2B integration and cross-enterprise integration. Project Liberty is collaborating different XML security initiatives such as SAML to provide industry-wide specifications for Single Sign-on, federated data exchange, B2B transaction support, and a reliable Web Services security framework.
Today's Web Services security is primarily dealing with SOAP security and digital signature for XML messages. There are also work-in-progress Web Services security initiatives that cover key management (XKMS), security tokens and encryption (WS-Security), Single Sign-on (SAML), and network identity (Project Liberty). However, they are designed to address a specific problem space, not the entire end-to-end security framework for implementing Web Services technology.
