
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
358
|
Chapter 10: Securing Web Servers
IBM, Microsoft, and others founded the Web Services Interoperability Group (http://
www.ws-i.org) to create web-services standards outside of the IETF and W3C. Secu-
rity was not addressed until the first draft of Web Services Security (http://www-106.
ibm.com/developerworks/webservices/library/ws-secure/) appeared in April 2002. It
describes an extensible XML format for secure SOAP message exchanges. This
addresses the integrity of the message but still doesn’t guarantee that the message’s
contents are safe when handled by the client or server. The Basic Security Profile
(http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html) was approved
in 2004. A separate group, OASIS, recently approved three Web Services Security
specifications (http://www.oasis-open.org/specs/index.php).
It’s hard to be certain (the standards are heavy sledding), but it doesn’t look like we
have end-to-end security for web services yet.
An alternative to XML-based web services is Representational State Transfer (REST),
which uses only traditional web components—HTTP and URIs. A description is
found in Second Generation Web Services (http://www.xml.com/pub/a/2002/02/20/
rest.html). Its proponents argue that REST can do anything that SOAP can do, but
more simply ...