As usual, in any web implementation, security is a critical part of a web service. In the different components of a web service, like SOAP, there are no specifications regarding security or authentication requirements, but we can acknowledge the following main security issues:
- Confidentiality and privacy
When a web service client connects to a web service, we need to identify somehow who is the user, and to verify if the user is who he claims to be.
There are many options to be considered :
- The HTTP protocol has built-in support for Basic and Digest Access Authentication, but it is not considered secured by itself if not used in conjunction with an external secure system like SSL. But this could provide at least a safer way to access web services.
- There is a security extension to SOAP allowing a client or provider to validate the identity of each other, by using Digital Signatures. This method uses public key cryptography to generate SOAP messages signed digitally.
- XML signature allows to bind the sender identity to an XML document, by signing the XML document with the sender’s private key, and this signature is then verified with the sender’s public key.
This could be implemented on top of the authentication, so once you have authenticated the user you still need to know if that user is authorized for using that service or accessing that information. This means to grant access for specific resources once the user is authenticated, and based on its entitlements.
Confidentiality and privacy
In some cases, we need to keep the information secret, or even keep in confidence the client that accesses the web service. This could be achieved by encrypting the content of the message, either the request or the response or even both, and by obfuscating the identities of the sender or the receiver.
A way to encrypt information is using XML Encryption which describes a process for encrypting data and representing the result in XML. It defines:
- How the digital content can be encrypted and decrypted.
- How the encryption key information is sent to the receiver
- How encrypted data is identified