Chapter 14. SOA and Security
WHEN INTEGRATING DISTRIBUTED SYSTEMS, SOONER OR LATER SECURITY COMES INTO PLAY. PROBLEMS can arise because many people have access to the system landscape, while not all of these people are allowed to see and manipulate all the data.
This chapter gives a brief overview of security aspects for SOA.
When talking about security in distributed systems many different aspects come into play, and as usual, there are many different ways to categorize them. Generally speaking, the following categories are key:
Authentication has to do with verifying an identity. An identity may be a user, a physical device, or a foreign service requestor. Regarding SOA, this means finding out who is calling the service.
Authorization has to do with determining what an identity is allowed to do. Regarding SOA, this means checking whether the caller is allowed to call the service and/or see the result.
Whether data remains confidential while in transit or in storage is another key aspect of security. Regarding services, this means ensuring that no one besides the service caller can see service data while it is being transferred between the provider and the consumer.
The key here is guaranteeing that data can’t get manipulated or counterfeited, such that either the data is simply wrong or, even worse, authentication and authorization credentials are faked so that someone can get access to data she is not supposed ...