Summary

This chapter established a base of knowledge we call the gestalt of Web services: an understanding of how the Web services standards and technologies form a configuration or pattern of elements that is so unified as a whole that it cannot be described merely as a sum of its parts. Those " parts " are the standards normally used to "define" Web services. Importantly, this chapter also sought to motivate and explain the need for security and how we will approach solving that need.

This chapter began with a discussion of the genesis of Web services. That genesis sprang from business problems such as a need for application integration because business processes cross application and organization boundaries. The desire for portals has been driven by the business problem of presenting a wide variety of to-be-integrated information sources to the widest possible audience. The genesis for Web services also has come from the natural evolution of distributed computing over several decades of work. That work showed the need for cross-platform neutral standards, and the dramatic explosion of the Web put a fine point on how critical broadly accepted standards are for new computing paradigms to really take hold. Learning from those previous evolutionary steps led to establishing simple but strong Web services standards that, for the first time ever, were not only supported by competing vendors , but also were actually driven by them working in collaboration.

Next , we delved into the security challenges inherent in any middleware but exacerbated by both the linkage to Web technologies and by the goal of cross-organizational use of Web services. One big area of security concern revolves around portable identities that attach to and ride along with messages and requests for service. Another is the fundamental nature of message-based systems that require security be applied at the message level and not at the network perimeter level. If we are closer to the longstanding but elusive goal of SOA, it will mean new and even more demanding security challenges such as ways to deal with shared services accessed by different organizations with different trust models and access rights.

The next few sections were dedicated to brief descriptions of the basic standards that are used by Web services, with a particular emphasis on the ways in which each of these standards affects or is affected by security issues. First up was XML and its origins. How does XML interact with Web services? XML topics particularly relevant to XML security were addressed ”for example, XML namespaces that keep simple names used in one conceptual area from interacting with those from another; XML Schemas that define how to understand an XML document; and XML Transformations that change an XML document, sometimes a required step before security can be applied to it.

Second, we covered SOAP and its origins. The structure of SOAP is important especially when you are thinking about ways to secure SOAP messages, so we described in detail what goes into the SOAP envelope, header, and body. How SOAP is processed is important because this is where security information resident in the header affects the message and application it is destined for. Attachments, while not part of the current SOAP standard, are used extensively, especially where confidentiality of that data is important.

Third, we covered WSDL and its origins. We described all the elements of a WSDL description. WSDL and SOAP are tightly intertwined. WSDL is not secure and does not have a lot to do directly with Web services security, but some of the WS-Security standards augment WSDL with security, reliability, control, and policy extensions.

We covered a few of the other Web services technologies at the end of this chapter. UDDI is one that has enormous security implications. ebXML and RosettaNet are initiatives that pre-date Web services and effectively are competing alternatives. They are not the focus of this book, so this discussion is short.

We closed this chapter with definitions of the Web services security “ related specifications that we will be covering in detail later in the book.