Chapter 14. Enterprise Security for Web Services

The eXtensible Markup Language (XML), because of its simplicity and flexibility, is expected to facilitate Internet business-to-business (B2B) messaging. One big concern that enterprises have in doing Internet B2B messaging is security. The Internet is a public network, without protection against such attacks as eavesdropping and forgery. If messages are stolen, replayed, or modified during transmission, B2B messaging becomes useless. Fortunately, the recent advancement of Web Services security has remedied most of the security problems in communication.

Various XML security technologies are enhancing security by introducing new features, such as digital signatures, elementwise encryption, and access control, that are beyond the capability of a transport-level security protocol, such as the SSL.

In this chapter, we delve into the dynamics of e-business and how companies will have to make their products and services available over the Internet to remain competitive. In particular, we focus on Web Services technology. A Web service ^[1] is an interface that describes a collection of network-accessible operations based on open Internet standards. Web Services technology has the potential to enable application integration at a higher level in the protocol stack. The key to reaching this level is the definition of a de facto program-to-program communication model, built on Web Services standards, such as XML, Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and the Universal Description, Discovery and Integration (UDDI) ^[2] standard, a cross-industry initiative designed to accelerate and broaden B2B integration and commerce on the Internet. The UDDI model uses standard protocols, such as HTTP and Java RMI-IIOP. To fully support e-business, extensions are needed for security, reliable messaging, quality of service (QOS), and management for each layer of the Web Services stack.

^[1] A note on terminology: We capitalize the word Services when we refer to the Web Services technology. We do not capitalize the word service when we refer to a specific Web service.

^[2] The UDDI standard is an industry initiative that is working to enable businesses to quickly, easily, and dynamically find and transact with one another. UDDI enables a business to describe its business and its services, discover other businesses that offer desired services, and integrate with these other businesses. For more details, see http://www.uddi.org/.