Adding Security to your Web Service
As you learned from the previous article
in this series, there are levels at which security can be applied to a Web service. For this example, there are two basic requirements: validation of the entity making the request and hiding the data from non-partner companies. To achieve these objectives, the best choice is message-level encryption. XML digital signatures will be used for data integrity, authentication, and non-repudiation. I want to validate that all SOAP messages for purchase orders come from well-known entities and that they have not been modified.
XML Encryption will be used to add the confidentially aspect, indicating that the data can be viewed only by the receiver. In Listing 3, the payment information is encrypted, and there is a digital signature identifying the customer.
I could have also chosen to encrypt the entire XML purchase order. This example will secure XML documents, but won't directly address how security is applied to Web services technologies such as SOAP.
WS-Security is the industry's first attempt to define XML-related security specifically for Web services. This involves extending SOAP to add Web services security tags to the SOAP header. WS-Security primarily defines a set of delimiting tags to be used in the SOAP header for adding identification, authorization, and encryption to the SOAP message. You can find the full specification at the World Wide Web Consortium Web site (see "Related Resources," left).