Currently, Web service is a buzzword , and it is in the process of revolutionizing the software world. But the security issues prevent the widespread adoption of Web services. According to a Forrester Research study, security concerns are the main barrier in the enterprise Web services world. Certainly, Web service faces critical security challenges, since it exposes sensitive, vital information to the outside world through the Internet. In real-time applications, the triumph depends on secure, reliable communication with business partners . Hence, Microsoft and other software giants give top priority to the security and reliability of Web services. In the heterogeneous environment of Web services that provide security across multitier/multidomain applications, the security issues to be considered are secure communication, authentication, authorization, data protection, privacy (integrity and confidentiality), and nonrepudiation. In real-time business applications, Web services can establish complex levels of access, and it has to be restricted to authorized clients . For authentication purposes (verification of the identity), the user or the client has to submit some form of credentials, such as username and password. Another area you have to pay attention to is the secure communication between the client and service. To implement secure communication, you can make use of either a transport-level security, such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec), or a message-level security, such as WS-Security specification, based on the requirements. Transport-level (point-to-point) security is best suited in a tightly coupled Microsoft Windows operating system environment such as a corporate intranet, and message-level (end-to-end) security is best suited in a heterogeneous Web services environment. You can also employ custom security mechanisms such as SOAP headers. Web services security can be applied in three levels, according to the requirements:
In this chapter we first look into the basic security techniques such as firewalls, SSL, virtual private networks (VPNs), and IIS authentication. Then, we learn how to authenticate Web services using SOAP headers and the XML encryption technologies, such as XML Signature, XML Encryption, XKMS (XML Key Management Specification), and Security Assertion Markup Language (SAML). Finally, we talk about the GXA specifications and WS-Security and how to implement that by employing Web Services Enhancements (WSE). |