background image

Advantages of Message Security

<< Securing Web Service Endpoints | message-layer security >>
<< Securing Web Service Endpoints | message-layer security >>
A
DVANTAGES OF
M
ESSAGE
S
ECURITY
233
Some of the characteristics of a web service that make it especially vulnerable to
security attacks include the following:
· Interactions are performed over the Internet using transport protocols that
are firewall friendly.
· Communication is often initiated by service consumers who have no prior
relationship with the service provider.
· The message format is text-based.
Additionally, the distributed nature of web service interactions and dependencies
might require a standard way to propagate identity and trust between application
domains.
There are several well-defined aspects of application security that, when prop-
erly addressed, help to minimize the security threat faced by an enterprise. These
include authentication, authorization, integrity, confidentiality, and non-repudia-
tion, and more. These requirements are discussed in more detail in Characteris-
tics of Application Security (page 946).
One of the methods that can be used to address the unique challenges of web ser-
vices security is message security. Message security is discussed in this chapter
which includes the following topics:
· Advantages of Message Security (page 233)
· Message Security Mechanisms (page 235)
· Web Services Security Initiatives and Organizations (page 236)
· Using Message Security with Java EE (page 241)
Advantages of Message Security
Before we get to message security, it is important to understand why security at
the transport layer is not always sufficient to address the security needs of a web
service. Transport-layer security is provided by the transport mechanisms used
to transmit information over the wire between clients and providers, thus trans-
port-layer security relies on secure HTTP transport (HTTPS) using Secure Sock-
ets Layer (SSL). Transport security is a point-to-point security mechanism that
can be used for authentication, message integrity, and confidentiality. When run-
ning over an SSL-protected session, the server and client can authenticate one
another and negotiate an encryption algorithm and cryptographic keys before the
application protocol transmits or receives its first byte of data. Security is "live"
from the time it leaves the consumer until it arrives at the provider, or vice versa,