Chapter 8. Web Services Security

Security is one of the key issues that developers of web services face, particularly in the enterprise. Without a comprehensive security infrastructure, web services will simply not reach their highest potential. It is no surprise that we are starting to see new battles emerge in the marketplace as companies vie for the dominant security position.

Authentication is one of the key components that has emerged. Currently, there are three widely known, competing (and unfortunately, incompatible) web service authentication infrastructures jockeying for position in the marketplace:

Passport

Microsoft's proprietary single sign-on service that provides authentication and digital wallet services for millions of users.

Magic Carpet

AOL's own single sign-on service and digital wallet for use by AOL members.

Sun's Liberty Project

A collaborative effort among Java and open source development communities to develop an alternative to Passport.

Of the three, Passport is the best known and understood architecture. We discuss that architecture in this chapter, but first we will look more closely at web services security in general, including a look at the XML digital signature and XML encryption specifications.

What Is a "Secure" Web Service?

Web services are all about moving information; it doesn't really matter what type of information is being moved. A "secure" web service is one in which the information sender trusts that the recipient of that information ...

Get Programming Web Services with SOAP now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.