Security and Web Services

Like the Web itself, web services were not created with security in mind. And like the Web itself, attempts have been made to staple security on to web services now that it's needed.

The central problem is that web services want to talk to each other. They are designed to be used and reused in multiple different ways. They advertise themselves and promote their functionality. So, when all you want to do is talk to each other, implementing anything that gets in the way of that communication—such as security—is undesirable.

To make matters worse, applications, components, and services can be discovered without a prior business relationship. What do we do about authentication, authorization, nonrepudiation, and data integrity?

As people deploy more applications using web services applications that used to be strictly only on the internal intranet are now finding their way onto the public Internet. These applications then open up data and functionality to promote use and reuse. But if care is not taken, these web services can be huge security risks.

So, how do we do it securely? Where do we start? First we need to figure out who our users are. Who are we exposing data and services to? Who wants to know? How do we know who they are?

Identification

Hey, buddy, let's see some I.D. Identification is the means by which a web service can know who or what is calling it. Much like a bouncer at the local bar, a web service needs to validate identity at the door. Identity, ...

Get Securing Ajax Applications now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.