Mastering Web Services Security


Web Services are a promising solution to an age-old need: fast and flexible information sharing among people and businesses. Web Services enable access to data that has previously been locked within corporate networks and accessible only by using specialized software. Along with the benefits of Web Services comes a serious risk: sensitive and private data can be exposed to people who are not supposed to see it. Web Services will never attain their tremendous potential unless we learn how to manage the associated risks.

Web Services represent the next phase of distributed computing, building on the shoulders of the previous distributed models. Widespread distributed computing started with the Transmission Control Protocol/Internet Protocol (TCP/IP). Using TCP/IP to build distributed products was hard work for application programmers, who just wanted to build business applications. To ease the burden of distributed programming the computer industry developed the Distributed Computing Environment (DCE) based on the client/server computing paradigm, followed by the Common Object Request Broker Architecture (CORBA). About the same time, Microsoft introduced the Component Object Model (COM), followed by Distributed COM (DCOM) using DCE technology as a base, and COM+. Sun, building on its Java language introduced the Java 2 Platform, Enterprise Edition (J2EE), with its popular Enterprise Java Beans (EJBs), using many concepts and research ideas from the previous technologies. Each step made distributed computing easier but each technology still lived, for the most part, in its own
world, making interoperability between the different middleware technologies difficult.

Now Web Services have burst on the scene. There are two major Web Services goals—to make distributed computing easier for the business programmer and to enhance interoperability.

These goals are aided by:

■■ Loose coupling between the requesting program and the service provider
■■ The use of Extensible Markup Language (XML), which is platform and language neutral

Hopefully, all the positive lessons that we learned from the previous distributed models will be incorporated into the Web Services model.