[ Team LiB ] |
10.5 Web ServicesWeb services are an important new technology, and are used extensively in new frameworks such as Microsoft's .Net. Web services facilitate the transfer of structured data across networks by defining a standardized transport mechanism (for example, SOAP over HTTP). While the explosion of the World Wide Web was due to the large amount of human-readable content available through HTML pages, the development of more complex systems requires a standard by which applications can communicate directly with one another over the web. Web services seek to use the power of the web to provide language- and platform-neutral communication methods that can link applications across many different organizations. However, current web services typically do not provide secure authentication and encryption support. Many web services that require access control use the authentication and security mechanisms of the underlying protocol (HTTP)—for example, by using Basic Authentication for access control and SSL-encrypted HTTP (HTTPS) for transport. This solution does not scale well, and if the HTTP server is decoupled from the web service, it presents a problem where authentication information for the web service must be kept synchronized with the HTTP server. To address these shortcomings, the WS-Security specification is under development by IBM, Microsoft, and VeriSign. The WS-Security specification defines a set of SOAP extensions that can be used to provide confidentiality and integrity services to web services. WS-Security defines a set of SOAP messages that can encapsulate generic security token objects and associate these security tokens with specific SOAP messages. Therefore, WS-Security is not tied to one particular algorithm or security system, and indeed can be used with security and authentication protocols such as SSL, X.509 (for public key certificates), and Kerberos. While WS-Security specifies a standardized format for the transmission and encoding of security tokens and encrypted messages, it does not cover the messages needed to perform the actual authentication or key exchange required to establish secure communications. Instead, the WS-Security proposal delegates this task to the individual security mechanism used in the communications. In the case of Kerberos, the traditional Kerberos protocol is used to establish identity and generate a session key that then can be used by applications that use WS-Security to protect SOAP message exchanges. Work on WS-Security is ongoing, and general information on WS-Security can be found on Microsoft's MSDN site at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp. The full WS-Security specification can be found at IBM's DeveloperWorks web site at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/. |
[ Team LiB ] |