Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

Web Services are gaining industry-wide acceptance because they can solve IT problems using standards and standards-based technologies. They deliver a promising solution that allows IT services to be interoperable and to integrate using XML-based messages and industry-standard protocols. With the involvement of leading industry vendors in XML Web-services standards initiatives, there is a growing list of standards and specifications for developing and deploying Web services. Web services form the basis for standards-based infrastructure, communication, and application development in the industry today. The security of Web services is the biggest concern today as the industry faces a continually growing list of requirements and challenges.

In this chapter, we began with a discussion about Web services' architectural concepts, building blocks, core security challenges and requirements, and standards and specifications. We looked at both the high-level and in-depth technical details of the key Web-services security specifications and standards that contribute to the end-to-end security of a Web-services infrastructure. In particular, we looked at the following:

• Web services architecture and its building blocks

• Web services threats and vulnerabilities

• Web services security requirements

• Web services security standards

• XML signature (XML DSIG)

• XML encryption (XML ENC)

• XML key management services (XKMS)

• OASIS Web services security (WS-Security)

• WS-I Basic Security profile

We discussed the critical security factors and considerations that need to be addressed with regard to the implementation of Web services. We also briefly looked at the Java-based Web-services infrastructure providers that offer solutions in compliance with Web-services standards and specifications.

In the next chapter, we will explore the identity architecture and its technologies.