Many companies that start walking on the SOA road, end up stumbling upon Security requirements related to the use of the enterprise webservices.
So before choosing security solutions/tecnologies the first 2 things you must ask yourlself are:
- What is critical to buisness and need to be protected?
- If i was a bad guy what would i try to exploit and get advantage or create problems for the enteprise?
Probably the awsers to these questions will drive you to choose which of the security concepts you will use on your solution.
Here are the default security concepts you probably will have to address:
Identification : Who receives the message should have a way to identify who sent it
Autentication : Who receives the message needs to check that the sender´s identity is valid
Authorization: Who receives the message need to know what´s the sender´s acess level. This can be related with which operations and data are being will be acessable to the sender.
Integrity: The message remains the same during the transmission and arrival to the recipient.
Confidentiality: The message content can not be seen while is being transmitted, with excteption of authorized service.
After selecting which of these concepts you’ll need, its time to choose the best security tecnology that fit your requirements.
The following are some links to examples of such tecnology that can be applied to different architecture layers.
Transport Layer:
- WS – Security Framework
- Http Basic Authentication
- SAML – Security Assertion Markup Language
Http Request Get /taas/autor/carlosfilho HTTP/1.1 Http Response HTTP/1.1 410 Gone