Securing Web Services with WS-Security
Almost by definition, security is a hard-to-use feature—in contrast to Web services, which are fairly easy to implement and understand. In the first version of most SOAP toolkits, security was an afterthought that was handled almost entirely by the transport of the SOAP message. For example, encryption was covered by SSL (Secure Sockets Layer) over HTTP.
We need to be able to encrypt, sign, and authenticate messages. This means that the security information of the SOAP message must be baked into the SOAP message itself. This chapter covers cryptography and a specific security technology available for use with Web services: WS-Security. It also examines how the Web Services Enhancements for Microsoft .NET (WSE) implement message-level security based on this standard. We'll skip any discussion of HTTP-based security schemes, such as SSL, because those are more than adequately covered in many other texts, particularly product documentation.
|
