BASIC SECURITY FOR SOAP SERVICES.
Simple Object Access Protocol (SOAP) is a network protocol for exchanging structured data between nodes. It uses XML format to transfer messages. It works on top of application layer protocols like HTML and SMTP for notations and transmission. SOAP allows processes to communicate throughout platforms, languages and operating systems, since protocols like HTTP are already installed on all platforms.
SOAP is an API messaging protocol, and SOAP security is the strategy that prevents unauthorized access to SOAP messages and user information. Web Standards Security (WS Security) is the main aspect of ensuring SOAP security.
SOAP was originally developed as a web service protocol, with an HTTP transport binding. At the same time, the designers of the protocol made sure that the SOAP specification was not dependent on any features of the underlying transport. As a result, SOAP can be used over a large number of transport protocols today, thus providing a consistent way of creating services over a number of different platforms. Such platforms include SMTP, FTP, and message queuing protocols. This flexibility does not come for free, though, since many transport semantics (such as session security, routing, acknowledgments, etc.) that are provided by the underlying transport protocols need to be replicated within the SOAP stack. This can lead to significant performance issues and replication of functionality at different layers.
SOAP is a messaging protocol, meaning that SOAP security is primarily concerned with preventing unauthorized access to these messages and to users’ information. The main thing used to accomplish this is WS (Web Standards) Security.
WS Security is a set of principles that regulate the confidentiality and authentication procedures for SOAP messaging. WS Security-compliant measures include passengers, digital signatures and XML (Extensible Markup Language) encryption, among other things. XML encryption causes the data to be unreadable to unauthorized users.
WS-Security is only of limited use: it describes how security elements such as tokens and signatures can be incorporated into a SOAP message. It also provides limited instructions on how to protect portions of the message using these security elements.
A common use of WS-Security is for authentication of the incoming request. In order to process (an update to an account using a SOAP request), the bank service will need to verify the identity of the invoker (authentication) so that it can apply its authorization policies.
Authentication of a single request is achieved by providing the token within the security header. Since there are countless ways of doing this, the service needs to communicate to the client the type of acceptable tokens, acceptable configurations of these tokens, and how to protect them.
An example given below shows a client talking to both a database and a web server at a time. In such cases, not all information can pass through the https protocol. This is where SOAP comes in action to overcome such obstacles by having the WS Security specification in place.
