SOA Security

Many companies that start walking on the SOA road, end up stumbling upon Security requirements related to the use of the enterprise webservices.

So before choosing security solutions/tecnologies the first 2 things you must ask yourlself are:

  1. What  is critical to buisness and need to be protected?
  2. If i was a bad guy what would i try to exploit and get advantage or create problems for the enteprise?

Probably the awsers to these questions will drive you to choose which of the security concepts you will use on your solution.

Here are the default security concepts you probably will have to address:

Identification : Who receives the message should have a way to identify who sent it

Autentication : Who receives the message needs to check that the sender´s identity  is valid

Authorization: Who receives the message need to know what´s the sender´s acess level.  This can be related with which operations and data are being will be acessable to the sender.

Integrity: The message remains the same during the transmission and arrival to the recipient.

Confidentiality: The message content can not be seen while is being transmitted, with excteption of authorized service.

After selecting which of these concepts you’ll need, its time to choose the best security tecnology that fit your requirements.

The following are some links to examples of such tecnology that can be applied to different architecture layers.

Transport Layer:

  • SSL – Secure Socket Layer
  • TLS – Transport Layer Security
Application layer:
Data layer:
On the next post I will deeply discuss some of these solutions.
Http Request
Get /taas/autor/carlosfilho HTTP/1.1
Http Response
HTTP/1.1 410 Gone