Developers and architects who have been tracking Web Services security may have encountered the myth about its weak security capability from various magazines and news organizations. There is a common belief that SOAP calls can pass information in XML clear text across firewalls and servers, and this may expose the risk of hacker attacks and exploits. The myth also claims that the current security protection of using HTTPS is insufficient. If we consider SOAP to be the only Web Services technology, then the myth is a self-fulfilling prophecy . Nevertheless, there is more to Web Services security than simply SOAP.
SOAP Security Is the Web Services Security. Early Web Services books and articles focused on SOAP security in the context of Web Services security, which may have led to this myth. There are new additional specifications such as SOAP-SEC (SOAP security), XML-ENC (encryption), and XML-DSIG (digital signature), but none of them is designed to cover all aspects of Web Services. Thus, it is unfair to assume that SOAP security alone covers the realm of Web Services security.
Demythicization: Web Services security does not rely on SOAP messaging security alone. Web Services security should cover end-to-end applications and services, from network layer to application layer. SOAP message security is only a part of the end-to-end Web Services security.
HTTPS Is the Secure Network Transport for Web Services. The underlying transport of SOAP messages is HTTP and HTTPS. Due to the nature of stateless HTTP/S, synchronous SOAP messages do not support guaranteed message delivery. However, asynchronous SOAP messages can use SMTP or Java Messaging Service (JMS) where message delivery and acknowledgement can be assured. There are different security implications for different underlying transports. HTTPS assures that the connection between the client and the server is reasonably secure with 128-bit SSL. JMS often relies on data encryption and digital signatures for security protection. The SMTP security, if without a digital signature, is generally weaker when compared with HTTPS and JMS.
Demythicization: HTTPS provides data transport security from client browser to the server. To ensure end-to-end security, there are other components of Web Services security data transport that need to be used.
Passing XML Data in Clear Text Is Insecure . It is insecure for financial transactions or if private customer data is transmitted in XML clear text without encryption, even though this is within the intranet and behind the demilitarized zone (DMZ). It is easy to sniff into a LAN environment for clear text in SOAP messages. However, as a good practice, the sensitive data in the SOAP messages is typically encrypted and signed with a digital signature to support non- repudiation . Therefore, the SOAP messages can be secure with digital signature and encryption, provided there is no compromise in the key management or exploit in the client or host.
Demythicization: Passing XML data in clear text is insecure if done without encryption.
Dependency on PKI Implementation. SOAP messages do not necessarily rely on PKI implementation. Information that is not open to the public, or is not sensitive, can be sent in clear XML text if there is no requirement to encrypt or protect the data contents.
Demythicization: The XML Key Management Specification (XKMS) is an initiative to provide public/private key management services for secure business transactions, without having to invest into an expensive Public Key Infrastructure implementation (such as implementing a Certificate Management Server and setting up processes to be an internal Certificate Authority). Refer to the section on XKMS later in this chapter for more details.
Using Digital Signatures Alone for Web Services Applications Is Secure. SOAP messages can be secured with digital signatures using security tokens such as X.590v3 digital certificates or Kerberos tickets. However, Web Services security requires end-to-end protection, ranging from client, host, network transport, messages, and applications. Key management and network identity management are two other important areas.
Demythicization: Web Services Security is end-to-end. Digital signature is a mechanism to address non-repudiation. There are other aspects of security requirements to be considered .
