10.3. Authorization SOAP Extension
The WS-Security specification defines standards for using SOAP headers to communicate credentials, digitally sign and encrypt messages. In most cases, you're still pretty much on your own for implementing authorization (controlling access to resources based on user credentials).
Usually, authentication and authorization are insufficient because they don't protect your service from threats such as compromised data integrity/confidentiality or replay attacks. If you are transmitting sensitive data, you're also likely to need digital signature and encryption mechanisms. Although you can use SSL for data encryption, WS-Security recommends XML Signature and XML Encryption to digitally sign and encrypt SOAP messages. ...
Get Real World XML Web Services: For VB and VB .NET Developers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.