The author worked on a team that created a Web Service software package that interacted with databases. The group believed that it was a great product, and it contained some extra features like the ability to transform the SOAP response with XSL. The first question out of every potential customer’s mouth was about security, and the team hadn’t provided any code or interface for securing these transactions. How did a group of very smart developers overlook this? As the team went back and examined the SOAP and WSDL standards closely, the realization was that the standards groups had overlooked security as well. Several development teams probably had the same experience.
The security methods described in this chapter show how much of an afterthought security was with Web Services. Using “Authorization,” “Authentication,” and SSL all work, but the implementations seem haphazard and confusing. As the standards groups move forward, XML signature and encryptions are steps in the right direction. The developer still must wonder if there is technology to truly secure a Web Services implementation.