Summary

This chapter asked the question "What are Web services, and why do they need security?" The answer is that Web services are the latest evolution of middleware that creates a loosely coupled RPC mechanism for application and information integration.

This chapter provided a brief introduction to XML, SOAP, and WSDL. The XML language is not only the way Web services messages are formatted, but it is also the language in which all other Web services standards are defined. XML is not new, and there are mature standards for securing XML messages. SOAP is the packaging mechanism for transporting XML messages over networking protocols and for treating XML as an RPC mechanism. WSDL separates the interface for a Web service from its implementation.

There are many types of application integration, and this chapter briefly covered the most common types and described why they need security. Internal application integration is most commonly used to integrate information from different sources within an organization to create more useful and more powerful composite applications. These types of integration need security from prying internal eyes and to comply with internal as well as external business practice policy regulations. B2B business process integration allows organizations to integrate with their supply chain or demand chain. Knowing for sure who is using what information is critical because these types of integration involve business-critical information exchange. Portals are used internally and externally as a way to aggregate information and applications into a single browser-accessible Web site. Users of portals must be authenticated to prove they are part of the group allowed access to the information. Service-oriented architecture is an approach more and more in favor as organizations try to leverage their information-processing assets maximally. SOA allows reuse of useful components and rapid construction of new applications. In SOA, messages move from point to point to point and need to maintain integrity and confidentiality all throughout their journey.

To fulfill all the security requirements Web services will place on you, this chapter asked the question "What are the core concepts of security that you need to know?" The answer starts with cryptography, a branch of mathematics focused on keeping secrets. The crypto-algorithms used to make messages secret are called encryption. The key to keeping secrets is in the keys to these algorithms. In shared key encryption, both sender and receiver share the same key for encryption and decryption of the message. In public key encryption, a matched pair of keys is used, one for encryption and its mate, and only its mate, for decryption. When you know what basic encryption is, the other critical concepts to understand and embrace are authentication (who is it?), authorization (what are they allowed to do?), integrity (is their message unaltered since they sent it?), confidentiality (was the message indecipherable by anyone intercepting it?), and non- repudiation (can you prove the message was indeed sent?).

Finally, this chapter introduced the Web services security basics that build on the security concepts just described. XML Signature provides integrity and non-repudiation for XML messages. XML Encryption provides confidentiality for XML messages. SAML assures the identity of a subject is made trustable and portable so that it can be attached to XML messages. WS-Security makes the entire SOAP system secure. And associated with WS-Security are also a host of other standards that help address a variety of trust issues brought on by Web services.