eb services are designed to expose business functionality in an interoperable and loosely coupled manner. While they have the potential to reap the benefits of an SOA infrastructure, they also introduce the risk of unauthorized access to your business assets. Therefore, it is important to secure web services by limiting access to only legitimate consumers to prevent confidentially and integrity breaches.
Choosing a web services security solution can be daunting. More than a dozen solutions are available, and many factors determine whether a particular solution is appropriate for your scenario. While each individual solution offers documentation, you won't find a comprehensive guide that helps you make the right choice.
While not completely comprehensive, this article examines some of the popular security solutions and assesses each one's strengths and limitations. It examines the factors that influence a solution choice and provides guidelines to help you make an informed decision. Code and message payload examples are added for clarity.
Transport Level Versus Message Level Security
One of most common approaches to web services security is using SSL to secure the transport channel. This is a natural extension of web application security, where the HTTPS protocol secures HTTP requests/responses using SSL. SOAP/HTTPS is the web services equivalent of HTTPS. It guarantees that calls are secured for both confidentiality and integrity. Implementing SOAP/HTTPS security is relatively simple since most application servers simply extend the SSL certificate configuration for HTTPS.
While this approach can help you quickly establish a security solution, it does have some limitations that you must consider:
- SOAP/HTTPS does not address authentication requirements. It must be combined with other mechanisms such as UsernameToken to handle authentication.
- Because SSL encrypts the entire channel, it carries a significant performance impact. If only parts of the message need to be secured, consider using Message Level Security (more on this shortly) since it supports partial encryption and integrity, which improve performance.
- SSL is a point-to-point security scheme that is not suitable for end-to-end topologies where messages flow across intermediaries such as gateways.
With MLS, security constraints are applied to the message itself instead of the transport channel. The web services security standards that have been specified in recent years have revolved around the application of MLS. They include a wide array of standards including XML-Encryption, XML-Signature, UsernameToken, Kerberos, and SAML. (Refer to the OASIS Standards for a comprehensive listing.) These standards cover different techniques and in some cases may be combined to produce a comprehensive security solution. It is also possible to pair MLS with TLS as in the example of using UsernameToken for authentication and SSL for confidentiality and integrity.