Chapter 10. Web Services Security
The advent of web services reveals new issues that didn’t exist in previous closed environments. New levels of openness and new characteristics of data exchange and interoperability also mean that we face new challenges for securing our data and identities:
Corporate applications and their interfaces are publicly available for all to see. They are available via port 80, which is generally accepted as an open hole in the firewall through which all HTTP traffic flows. Don’t assume that just because something is tunneled through port 80 that it is safe. Applications that provide frontends for your critical data will increasingly be exposed through HTTP and accessible to anyone in the outside world. If taken to the extreme, these applications can even be published in a public directory for anyone to discover.
Data wrapped in SOAP envelopes provides a way to discern the structure and meaning of data being sent over the wire.
Sending and receiving parties don’t have to be implemented by using the same software platforms; i.e., they don’t have to have the same security libraries from the same vendor. Therefore, we need a set of standardized, platform-independent security solutions.
XML is extremely verbose. Encryption is expensive enough as it is. Wrapping data in XML can increase the size of the data that needs to be encrypted tremendously.
The vision of web services includes enabling spontaneous supply-chain communities or trading communities via ...
Get Java Web Services now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.