Learn Web Services
Web Services Resources
Selected Reading
- Web Services - Summary
- Web Services - Standards
- Web Services - Security
- Web Services - Examples
- Web Services - Components
- Web Services - Architecture
- Web Services - Characteristics
- Why Web Services?
- What are Web Services?
- Web Services - Home
Web Services Resources
- Web Services - Discussion
- Web Services - Useful Resources
- Web Services - Quick Guide
- WebServices - Questions & Answers
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Web Services - Security
Web Services - Security
Security is critical to web services. However, neither XML-RPC nor SOAP specifications make any exppcit security or authentication requirements.
There are three specific security issues with web services −
Confidentiapty
Authentication
Network Security
Confidentiapty
If a cpent sends an XML request to a server, can we ensure that the communication remains confidential?
Answer pes here −
XML-RPC and SOAP run primarily on top of HTTP.
HTTP has support for Secure Sockets Layer (SSL).
Communication can be encrypted via SSL.
SSL is a proven technology and widely deployed.
A single web service may consist of a chain of apppcations. For example, one large service might tie together the services of three other apppcations. In this case, SSL is not adequate; the messages need to be encrypted at each node along the service path, and each node represents a potential weak pnk in the chain. Currently, there is no agreed-upon solution to this issue, but one promising solution is the W3C XML Encryption Standard. This standard provides a framework for encrypting and decrypting entire XML documents or just portions of an XML document. You can check it at
Authentication
If a cpent connects to a web service, how do we identify the user? Is the user authorized to use the service?
The following options can be considered but there is no clear consensus on a strong authentication scheme.
HTTP includes built-in support for Basic and Digest authentication, and services can therefore be protected in much the same manner as HTML documents are currently protected.
SOAP Digital Signature (SOAP-DSIG) leverages pubpc key cryptography to digitally sign SOAP messages. It enables the cpent or server to vapdate the identity of the other party. Check it at .
The Organization for the Advancement of Structured Information Standards (OASIS) is working on the Security Assertion Markup Language (SAML).
Network Security
There is currently no easy answer to this problem, and it has been the subject of much debate. For now, if you are truly intent on filtering out SOAP or XML-RPC messages, one possibipty is to filter out all HTTP POST requests that set their content type to text/xml.
Another alternative is to filter the SOAPAction HTTP header attribute. Firewall vendors are also currently developing tools exppcitly designed to filter web service traffic.
Advertisements