When it comes to web services driven service oriented architecture, security plays a major role. Today’s chapter is dedicated to point out the most significant security scenarios and explain security in the context of SOA. As of this moment you have come to understanding that web services based SOA(s) are completely document oriented, in other words messages passed on the connecting wires are text messages, hence human readable. The interesting fact about web services is the reason it is document oriented is an advantage in the context of inter-operability and a disadvantage in the context of security.

Since SOAs are mostly deployed in large enterprises or e-governments concerns such as information security and privacy; acts as fundamentals. For this reason traditional over the network security mechanisms became insufficient and a need for a security mechanism which can protect the documents which travel through the network and ensures confidentiality and integrity is mostly researched. This is where standards such as WS-Security (WSS), WS-Policy, WS-Trust etc. came in to being.

To clarify more the following diagram shows the traditional client server communication i.e. typically a web server and a browser. In this kind of a scenario the data communication is mostly limited to the client and the server hence securing the communication layer (at the two points) would be enough and we can comfortably use https/SSL encryption based security.

Figure 1: Traditional Network Level Security

However in a SOA this is not the case. There will not be such isolated communications. It’s always highly distributed. Even the client see a certain process is delivered from one access point the requests/responses cane be traveled through many servers / data centers which even geographically separated. In that case securing the originating point and the first destination will be quite unimportant.

To make it clearer let’s assume we need to apply for a passport / renew via an e-government portal and the scenario will be as bellow.

Figure 2: Passport Service

According to the sequence the user accesses the government portal and applies for a new (renewal) passport. At that point, the user data will be validated (S1), if valid he is prompted for payment (S2) and finally the passport registration is completed, the user will be given a receipt/invoice number (S3). Assuming, (and most likely) that these services are handled by deferent entities; the client requests/messages will be traveled across each of them. This is where we see the importance of the message level security. Even though the client is secured with SSL between the two starting points, there is no guarantee that after the 1st entry point that the message will be secured. Hence while calling each service via a ESB (will be explaining in detail in a coming article), the messages should be protected and provide an End-to-End security paradigm.

Figure 3: Scenario at deployment

The above diagram shows the explained scenario in a deployment perspective. Now you clearly understand the distributed nature of the entire architecture and why security is such an important aspect.

The above being the overall aspect the following main elements will be carefully looked at when applying security to a service oriented distributed system.

• Identification - The party accessing the resource is able to identify itself to the system.
• Authentication - The procedure to verify the identity of the accessing party.
• Authorization - The set of transactions the authenticated party is allowed to perform.
• Integrity - The assurance, that information is not changed on its way.
• Confidentiality - The assurance that, no third party is able to read the information on its transport
• Auditing - All transactions are able to be recorded
• Non-repudiation - Both parties are able to provide legal proof to a third party that the sender did send the information, and the receiver received the identical information

In our next article we will be looking at how these security aspects are ensured.

Previous Article