Summary

A Web service describes its interface, or collection of operations, in a WSDL document and interacts with other entities by exchanging SOAP messages over HTTP/S. Web services utilize the simplicity, extensibility and flexibility of XML and Web protocols for program to program communication over the Internet. Security requirements of Web services could be more complex than simple transport security commonly used for Web applications.

Fundamental security issues for Web services are the same as any other distributed programming technology—authentication, authorizations, confidentiality and message integrity. An important distinction is that Web services can be invoked either synchronously, using request response paradigm or asynchronously, using document exchange paradigm.

Transport-level security can be used for a certain class of Web services. This is most appropriate when Web services are used as interoperable, platform-independent RPC infrastructure where both the client and the service communicate over a transport level connection. HTTPS provides good security in these cases and can be setup in the same way as for Web applications.

WS Security specification defines SOAP header elements to provide message-level authentication, confidentiality and integrity for SOAP messages. Message-based security is more appropriate than the transport-based security in a number of Web service use scenarios. The JAX-RPC handler mechanism provides a convenient mechanism to incorporate WS Security-based message security without changing the client or service code significantly.