Chapter Ten. Web Services Security


Currently, Web service is a buzzword , and it is in the process of revolutionizing the software world. But the security issues prevent the widespread adoption of Web services. According to a Forrester Research study, security concerns are the main barrier in the enterprise Web services world. Certainly, Web service faces critical security challenges, since it exposes sensitive, vital information to the outside world through the Internet. In real-time applications, the triumph depends on secure, reliable communication with business partners . Hence, Microsoft and other software giants give top priority to the security and reliability of Web services. In the heterogeneous environment of Web services that provide security across multitier/multidomain applications, the security issues to be considered are secure communication, authentication, authorization, data protection, privacy (integrity and confidentiality), and nonrepudiation.

In real-time business applications, Web services can establish complex levels of access, and it has to be restricted to authorized clients . For authentication purposes (verification of the identity), the user or the client has to submit some form of credentials, such as username and password. Another area you have to pay attention to is the secure communication between the client and service. To implement secure communication, you can make use of either a transport-level security, such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec), or a message-level security, such as WS-Security specification, based on the requirements. Transport-level (point-to-point) security is best suited in a tightly coupled Microsoft Windows operating system environment such as a corporate intranet, and message-level (end-to-end) security is best suited in a heterogeneous Web services environment. You can also employ custom security mechanisms such as SOAP headers. Web services security can be applied in three levels, according to the requirements:

  • Transport-level (point-to-point) security, such as SSL/IPSec, ASP.NET authentication and authorization, and IIS authentication.

  • Application-level (custom) security, such as SSL/custom SOAP headers.

  • Message-level (end-to-end) security, such as the Global XML Architecture (GXA) initiative (WS-Security specification).

In this chapter we first look into the basic security techniques such as firewalls, SSL, virtual private networks (VPNs), and IIS authentication. Then, we learn how to authenticate Web services using SOAP headers and the XML encryption technologies, such as XML Signature, XML Encryption, XKMS (XML Key Management Specification), and Security Assertion Markup Language (SAML). Finally, we talk about the GXA specifications and WS-Security and how to implement that by employing Web Services Enhancements (WSE).



.NET Security and Cryptography
.NET Security and Cryptography
ISBN: 013100851X
EAN: 2147483647
Year: 2003
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net