Download CD Content
Web Services are easy to implement and use cross platform, but perhaps their biggest weakness is the lack of security built into the SOAP and other Web Services standard. The fact that Web Services utilize port 80 and HTTP means that they use a port probably configured on your firewall policy that isn’t protected from the outside world. Additionally, the very nature of the Internet—with proxy servers and the overall openness of information makes your Web Services vulnerable. Remember that anyone with a proxy server or a node can view your request or response with relative ease. Consider the SOAP for one of the SimpleStockQuote examples shown earlier in this book.
Content-Type: text/xml; charset=utf-8 Content-Length: 461 SOAPAction: "" <?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body> <ns1:getTestQuote xmlns:ns1="urn:simple-stock-quote"SOAENV: encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <symbol xsi:type="xsd:string">C</symbol> </ns1:getTestQuote> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Not only is the information in text format rather than a binary format but also the content of the document is surrounded by self-describing XML. Thus, the information is easy to view; you took the time to make it easier for the eavesdropper to understand the type and the content of the information you are transmitting. With a comma-delimited string of information, at least, the eavesdropper has to determine what the data actually represents.
The value of a stock, however, is not the most secretive piece of information. Thus you probably would not need a great deal of security to protect that information. On the other hand, if you handled a consumer’s credit card information, you would definitely need to encrypt that information as the request and response made their way across the Web.
Beyond encryption, there are also security concerns you need to consider with Web Services. Such security concerns mainly involve deals the identity of the individual or application accessing your service. Is it whom you expect? Is someone impersonating your regular consumer? Identity isn’t something you consider when deploying a HTML form on your Web site, but with Web Services, you’re providing functionality that possibly interacts with your backend systems such as your Customer Relations Management (CRM) or accounting database at an application level. You need to protect this information.
As with any with any Web project, you need to sit down and consider the amount of security you really need because of the impact on hardware. Once you know your security needs, you can better answer questions related to needed systems.