Chapter 11. Web Service Security

A Web service is a program that has a message-based interface described in a WSDL (Web Service Description Language) document. A WSDL description is somewhat similar to a CORBA IDL (Interface Definition Language) description, in the sense that it describes the interface of a network service. A WSDL document defines a set of end-points operating on messages. The operations and messages are described abstractly, and then bound to a concrete network protocol, such as HTTP, and a message packaging format, such as SOAP (Simple Object Access Protocol), to define a binding. The combination of a binding and a network address makes a concrete endpoint, also known as a port. A Web service is simply a collection of ports.

Although it is possible to specify any message format and transport protocol within a WSDL document, the most common choices are SOAP for message format and HTTP/S for transport. Not surprisingly, the term Web service almost always implies exchange of SOAP messages over HTTP/S. As you may already know, SOAP is an XML packaging scheme consisting of a Header element and a Body element, encapsulated within an Envelope element. We look at examples of SOAP and WSDL documents later in this chapter.

Both SOAP and WSDL have been hailed by the computing industry as revolutionary technologies with the promise to usher us into a new age of program-to-program communication over the Internet that will change the way businesses interact with each other. This claim needs to be seen in the right historical perspective. The use of widely accepted protocols such as TCP/IP, HTTP and document formats such as HTML has been the primary reason for explosive growth of human-oriented Web applications. With time, it is possible that a number of activities that currently require human interaction will be taken over by program-to-program interaction.

However, for the time being, Web services are mostly being used as integration technology for programs written in different languages and running on different platforms.

Regardless of what problem you are solving with Web services, you need to address the same security issues that other integration or distributed computing technologies need to address. The issues include:

• the client's need to authenticate itself to the server;

• the server's need to authenticate the client;

• the need to guarantee integrity and confidentiality of the messages being exchanged; and

• the need to determine the access rights of a client by its verified identity and internal access control policy.

In cases where a Web service invocation is not much different from the synchronous exchange of request and response messages over HTTP, the transport-based security mechanism like SSL may be quite adequate. However, not all Web service-based applications are going to be of this type. In scenarios where a message needs to be transported to multiple endpoints, one after another, asynchronously, going over multiple transports, and through intermediaries and across corporate firewalls, we need message-based end-to-end security. Recall that the transport-based security works well only when both the communicating endpoints are active at the same time and there is no requirement for an intermediary to examine the message content for routing, validation or any other purpose. Message-based security doesn't suffer from these limitations.

Having covered transport-based security in Chapter 6, Securing the Wire and message-based security in Chapter 7, Securing the Message, we are now ready to discuss, develop and deploy secure Web services in this chapter.

Before we get into details, let us spend some time talking about various Web services standards.