The lack of a coherent security model and policy is the most often cited reason for the slow deployment of externally facing Web services by enterprises. Addressing security issues with vigor will not only make Web services (as well as the applications that consume Web services) more secure, but will also increase the community's confidence in Web service technologies. This improved confidence will likely result in increased numbers and types of available Web services.
In this chapter we took a broad look at security, and then focused on the security issues specific to Web services environments. We described how security is really an end-to-end process, and a secure system cannot be implemented by simply using a few technologies within a service or application.
We went on to discuss some of the XML security technologies that are finding their way into Web service environments. Two of these technologies are XML Encryption and XML Digital Signatures. XML Encryption builds on SSL to provide end-to-end data protection between multiple parties that supports selectively encrypting segments of a message. Different segments may be encrypted using different keys to allow only particular parties along a multi-party chain to access certain information, and certain segments may not be encrypted at all to reduce encryption/decryption processing time and energy consumption.
XML Digital Signatures complements XML Encryption and provides a means for verifying the authenticity (who sent it?) and integrity (was it received as it was sent by the sender or was it modified in transit?) of a message. XML Signature also provides a means for non-repudiation so that the sender of a message cannot disavow having sent the message.
WS-Security is emerging as the de facto standard for Web services security. In essence, WS-Security integrates and unifies multiple security models and technologies under a single umbrella, supporting interoperability across various systems. In particular, WS-Security positions existing XML technologies, including XML Encryption and XML Digital Signatures, within the context of SOAP messages.