A recent white paper by Marc Chanliau, Oracle Fusion Middleware Product Management, on Web Services Security is now available on OTN. The What is required to secure SOA white paper gives a clear overview of the security requirements for services and how these requirements, with corresponding ‘standards’, have evolved.
In his paper, Marc discusses transport layer as well as application layer security for services. He also outlines the role of the many security related standards, technologies and tools out there. The approach taken shows how and where they compliment or overlap. Such topics include:
- Confidentiality, Integrity, Authenticity: XML Encryption, XML Signature.
- Message-Level Security: WS-Security.
- Secure Message Delivery: WS-Addressing, WS-ReliableMessaging.
- Metadata: WS-Policy, WS-SecurityPolicy.
- Trust Management: SAML, WS-Trust, WS-SecureConversation, WSFederation.
- Public Key Infrastructure: PKCS, PKIX, XKMS
Every web services developer should have an understanding of these concepts. I highly recommend this document as a basic primer in web services security.