Section 12.2. Roles of Security in Web Services

Previous page
Table of content
Next page


12.2. Roles of Security in Web Services

Security is a complex issue. Many aspects of security pertain to enterprise information systems and their interactions with public and private networks. Although this section and the next section will show how to use the WS-Security family of specifications to secure some aspects of a Web services interaction, there are many other security concerns that will not be covered. For the most part, the WS-Security family of specifications addresses these additional concerns. In either case, it is very important to be familiar with the role of WS-Security in the Web services' overall context.

Several things can play a role in the security of a Web service. One must define security policy, security architecture, and standards. WS-Policy provides a framework to define policies that set the constraints and capabilities of a Web service. Many of the policies are beyond the scope of this book, however. Enterprises have operational and compliance policies about the following:

  • Securing notebook computers that might contain passwords or confidential information.

  • What can and cannot be disclosed to phone callers.

  • In many cases, application business logic needs to be secure. This might necessitate code reviews and extensive testing.

  • The network infrastructure must be configured properly, including routers, DNS servers, firewalls, and network monitoring and management systems.

  • The hardware, operating system, and middleware used for running this Web service must have the latest security patches and must be free of viruses.

  • Operators of the system must have adequate training in security.

  • The systems and the procedures to operate them must be audited periodically.

  • Trust relationships must be established with business partners, which might necessitate the definition of legal contracts and responsibilities.

  • Requests to a Web service must be authenticated and authorized properly.

  • Messages to and from a Web service must be protected from unauthorized access and modification.

All these policies are required to properly secure the Web service interactions. The WS-Security specifications described in this chapter cover the last three items in the list, but this is not a complete security solution; security on the other hand is not absolute. One must employ other appropriate means to cover the other aspects of security.


    Previous page
    Table of content
    Next page
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    ISBN: N/A
    EAN: N/A
    Year: 2005
    Pages: 176
    BUY ON AMAZON
    Project Management JumpStart
    Oracle Developer Forms Techniques
    Documenting Software Architectures: Views and Beyond
    FileMaker Pro 8: The Missing Manual
    SQL Hacks
    AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy