Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analysis: SOA Security: Page 3 of 8

The downside: Scattering encrypted data throughout XML messages can cause interoperability problems because participants must agree in advance on issues such as where in a message encrypted data will be placed, which elements will be encrypted, and how keys can be exchanged. To help, Oasis (Organization for the Advancement of Structured Information Standards) created WS-Security, a standard for applying XML Security and XML Encryption in Web services.

illustration: Message Vs. Transport Security
(click image for larger view)

WS-Security is among the most mature of the WS-* standards, supported by almost all Web services and SOA vendors. Its main weakness is that, like all the WS-* standards, WS-Security requires SOAP--anyone doing business with Web services running REST (Representational State Transfer, a way of describing XML Web services that don't use SOAP) need not apply.

The main argument for using REST rather than SOAP is simplicity, so most REST users stick to SSL. Because REST requires HTTP and tends to be used for point-to-point links, SSL tunnels are often enough. Enterprises that want to apply message-layer security in REST will need to create their own protocols and data formats.

Pulling together every business partner and designing a custom, secure XML format for REST is a difficult sell for most enterprises, so the existence of WS-Security can be a powerful argument for SOAP. However, large Web services providers, including Amazon.com and Google, have successfully developed their own ways of locking down REST, using security tokens that are essentially shared secrets. Despite being proprietary, these are very popular among users: Amazon also offers a SOAP interface with WS-Security, yet has found that its customers prefer REST by a 5-1 margin. Most Amazon users are only accessing the Amazon service, not building an entire SOA, and so don't need SOAP's complexity.

FEDERATE YOUR IDENTITY
Though WS-Security helps encrypt and sign SOAP messages, it doesn't say anything about AAA (authentication, authorization, and accounting) or security policies. These are handled through other standards, which within the security space are all based on WS-Security (see "WS-* Security Standards: Too Much Of A Good Thing?" informationweek.com/1148/security_sb.htm).

Most of these standards eventually will be supported by all vendors in both the Enterprise Service Bus and Web services management areas, though at present they're too new to have had much impact on users.