This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Microsoft products, there are several modules available on CPAN that work with this
Apache::AuthenNTLM provides server-side support for Apache servers, and the
NTLM and Authen-NTLM packages provide client-side support.
The Secure Sockets Layer (SSL) provides transport layer security. It is also known as
Transport Layer Security (TLS) protocol defined by the Internet standard RFC 2246,
which can be found at http://www.ietf.org/rfc/rfc2246.txt. SSL/TLS offers several
security features including authentication (through client and server certificates),
data integrity, and data confidentiality. The protocol known as HTTPS is really
HTTP over SSL/TLS. Because HTTP’s integration with SSL is transparent for the
implementation of HTTP services (although it comes with some hit on perfor-
mance), it can readily be used with any implementation that sits on top of an
HTTPS-aware infrastructure. A web service over HTTPS with basic authentication is
probably the most common way to implement transport security.
IP Security Protocol (IPSec) is another standard for transport security. Similar to SSL/
TLS, it also provides secure sessions with host authentication, data integrity, and
confidentiality. It also serves a larger issue of transport beyond one particular proto-
col: it’s the base of most modern Virtual Private Networks (VPN).
Secured/Multipurpose Internet Mail Extensions (S/MIME) is a specification for
encoding any content into ASCII character representation. It provides message integ-
rity and allows for authentication. Because S/MIME uses client-side certificates, it
suffers from the problems typical for those certificates: they have to be installed on
the client side, they are difficult to revoke and invalidate, and they don’t allow dele-
gation of trust to allow other agents to act on someone else’s behalf.
There is one more aspect that hasn’t been discussed yet but is a hot topic for many
security experts who talk about web services and transport security: firewalls. Most
web services calls use HTTP as a transport and hence go through port 80, bypassing
the firewall security or requiring some additional steps to filter the XML traffic.
As discussed earlier, the current version of the SOAP specification (1.1) includes a
SOAPAction header. This header lets the transport infrastructure know it’s a SOAP
request, so that the infrastructure may act accordingly. However, this header is made
optional in the current draft of the new SOAP specification (1.2) and likely will go
away. People tend to agree that even if it may seem like a hole in the firewall secu-
rity, sending an RPC request isn’t very different from sending a document that trig-
gers some action on a server side (those differences will be discussed later in this
chapter) and as such, it should bear similar security constraints.
XML security standards provide a set of technical specifications to meet security
requirements of XML-based systems and applications. This section covers the