Since the emergence of computer networks in the late 1960s and in the mid 1990s introduction of Internet technologies has affected electronic information, communication process and business. Internet technologies also provided the environment to implement distributed application for businesses not only for publishing information but also for improving their communication with their customers, distributors, suppliers and partners. The Web Services are one of the most promising Internet technologies for developing distributed application.
In an era of computing internet World Wide Web has played important role in the development of internet technology and with the development of Web Services technology it allowed computers to communicate by machine to machine or program to program. Web Services help to connect all sorts of computer applications to each other which help users of Web Services to receive great benefits. In the Web Services the transformation of information takes place same way as humans communicate with each other and gather information. Web services provide basic interoperability greatly required in a world where computer services and digital information exist in many different forms and flavours.
("Introduction to Web services."Library Technology Reports42.3 (2006): 5+.AcademicOneFile.Web.22Dec.2009. <http://find.galegroup.com/gps/start.do?prodId=IPS&userGroupName=mmucal5>.)
As a general description Web Services offer a new and growing standard for building distributed network applications. Web Services are offered via the internet that use standardized Extensible Mark-up Language (XML ). Web Services are simple standards that work independently, regardless of communication platforms, systems and any programming language or operating system. Web Services can be accessed from different devices, networks or operating systems (Bell et al. 2007).
W3C describes “Web service as a software system designed to support interoperable machine-to-machine interaction over a network”.
Bell, D, Cesare, S, Iacovelli, N, Lycett, M, and Merico, A. ‘A framework for deriving semantic Web Services' Information Systems Frontiers 9, 1 (Mar. 2007)
Web Services are programmable application that can be created by standard Internet protocols. Web Services has ability to represent web functionality in different websites without having knowledge of the services implementation by combining the best characteristics of the Web and component based development (san diego media).
Web Services are establishing its importance as a mechanism for efficient development integration in the Web technology. In implementing Web services for individual business networks it is important to grow the scope of services beyond the limit of firewall. Individuals can offer services to business partners, customers, and subscribers. It allows service users to become integral parts of the service provider organizations.
(An introduction to Web Services Gateway http://www.ibm.com/developerworks/webservices/library/ws-gateway/ 31/12/09 01:14)
Nowadays Web Services technology operates almost any current IT environments. Here are some definitive characteristics of Web services.
* Accessibility of Web services over the Web. Web Services are language neutral and platform independent communication web protocols. These protocols certify easy integration of various environments.
* Web Services provide interface. Web Service Interface can be used by other web applications, this programming interface can be invoked from any client or service of other applications. The Web Service interface combines the logic that implements the service between actual application and Web.
* A registered Web Service can be located through a Web Service Registry. Web service registry allows consumers to find their required services.
* Web Services support insecurely links between connected systems. The Web Services communicate between each other by sending messages. The connection between Web services make adaptable and flexible by adding an abstraction layer to be environment.
(Introduction to web services san diego media http://www.sandiegomedia.com/webservices-intro 30/12/09 18:21)
History of Web Services
In the 1990s the development of the World Wide Web (WWW) introduced the importance of how communications and the Information Technology industry can work together to establish a common framework together with defining fundamental protocols such as HTTP and TCP. However, the invention of XML that let developers to establish the Web Services.
Web Service is a service that allows applications to communicate using a set of technologies with other applications over a network. There are certain objectives that have to be meet in order to run Web Services:
• Platform agnostic. The infrastructure of Web Services must be supported by the traders in order to meet same specifications.
• Language agnostic. A Web Service written in a language must support the specifications for other Web Services in the same fashion as they are written in different languages.
• Free from restrictive Intellectual Property Rights (IPR) terms. The developers of the Web service technologies have to have widespread adoption as their main goal.
As a broadly revealed platform independent standard for data description, XML was a logical base for the job between services to service communication. In 1998 XML became a standard when W3C declared that XML 1.0 had reached draft recommendation status.
The next step after developing the basic protocols of XML was the agreement on specification for a standardised message passing protocol. Microsoft developed the simple object access protocol (SOAP). SOAP was platform agnostic, general purpose and flexible. In March 2000, IBM supported SOAP and started work together with Microsoft to SOAP 1.1, and in next few months of 2000, SOAP gained wider acceptance.
Microsoft and IBM at the same time were working on a technique in order to describe programmatically how to connect Web Service. A protocol proposal merged after some discussion between Microsoft and IBM. Microsoft offered both SOAP Contract Language and Service Description Language where IBM contributed Network Accessible Service Specification Language. Web Services Description Language (WSDL), was introduced in late 2000.
Companies using WSDL and SOAP could create and describe their Web Services. Microsoft, IBM and Ariba started work to provide a meaningful solution in discovering Web Services in March 2000 and Universal Description Discovery, and Integration (UDDI) version 1.0 Specification was introduced in September 2000.
The standards to create Web Services took place at the end of 2000 after arriving UDDI, SOAP and WSDL. The main IT software companies announced their commitment to Web Services. Microsoft, IBM Oracle, Sun, HP, and BEA assured their intention to support and deploy the Web Services standards in their products.
(An introduction to Web Services Paul Muschamp BT Technology Journal • Vol 22 No 1 • January 2004)
Web services and businesses
The development in Web Services is proceeding in small steps and driven by the essential requirements to enterprise and trans-enterprise in order to enhance the performance, reliability, flexibility, and connectivity. The approach to Web Services for businesses is easily available to implement services and joined with the essential cost driven need of efficiency in Information Technology development. Web Services help organisations to connect between each other and it allows them to have better communication.
Web services can be implemented without disturbing organisation's entire infrastructure; however the entire tools are not there yet to enhancing already developed system in an organisation. It is better for businesses to build their own Web Services and roll out viable services and applications.
(http://www.crm2day.com/content/t6_librarynews_1.php?id=EpuuVkulVuulTTrQJz 25/12/09 22:36)
Underlying structure of web services
Since the Web services approach is centred on the notion of “service”, one of the first issues to be addressed by its technology is what exactly a service is and how it can be described. Service description in conventional middleware is based on interfaces and interface definition languages. In that context, IDL specifications are needed to automatically generate stubs and to constitute the basis for dynamic binding. The semantics of the different operations, the order in which they should be invoked and other (possibly non-functional) properties of the services are assumed to be known in advance by the programmer developing the clients. This is reasonable, since clients and services are often developed by the same team. In addition, the Web Service platform defines and constrains many aspects of the service description and binding process that are therefore implicit, and they do not need to be specified as part of the service description. In Web services and B2B interactions, such implicit context is missing. Therefore, service descriptions must be richer and more detailed, covering aspects beyond the mere service interface.
• Common base language. The first problem to be addressed is the definition of a common language that can be used as the basis for specifying all the languages necessary to describe the different aspects of a service. XML is used for this purpose, both because it is a widely adopted and commonly accepted standard and because it has syntax flexible enough to enable the definition of service description languages and protocols.
• Interfaces. Interface definition languages are at the base of any service oriented paradigm. In Web services, interface definitions resemble CORBA like IDLs, although there are a few differences between the two. The availability of different interaction modes in the interface definition language and the XML schema-driven type system are two of them. In addition, since Web Services lack an implicit context, their description needs to be more complete. For example, it is necessary to specify the address (URI) of the service and the transport protocol (e.g., HTTP) to use when invoking the service. With this information, it is possible to construct a client that invokes the operations offered by a Web service. The dominant proposal for IDLs in this area is the Web Services Description Language (WSDL).
• Business protocols. A Web service often offers a number of operations that clients must invoke in a certain order to achieve their goals. In the procurement example, the customer will have to first request a quote, then order the goods, and finally make a payment. Such exchanges between clients and Web services are called conversations. Service providers typically want to impose rules that govern the conversation, stating which conversations are valid and understood by the service. This set of rules is specified as part of the so called business protocol supported by the service. Business protocols are examples of why simple interface description is not enough in Web services. In fact, to completely describe a service, it is necessary to specify not only its interface but also the business protocols that the service supports. In this regard, there are several proposals to standardise the languages for defining business protocols (as opposed to standardizing the protocols, discussed next). Examples are the web Services Conversation Language (WSCL) and the Business Process Execution Language for Web Services (BPEL). This is nevertheless a rather immature area in terms of standardization at the time of writing.
• Properties and semantics. Most conventional middleware platforms do not include anything but functional interfaces in the description of a service. Again, this is because the system context allows designers to infer other information needed to bind to a service, and because services are tightly coupled. Web services provide additional layers of information to facilitate binding in autonomous and loosely-coupled settings, where the service description is all that clients have at their disposal to decide whether to use a service or not. For instance, this may include non-functional properties such as the cost or quality of a service, or a textual description of the service such as the return policy when making a purchase. This is information that is crucial for using the service but is not part of what we traditionally understand as the interface of the service. In Web services, such information can be attached to the description of a service by using the Universal Description Discovery and Integration (UDDI) specification. UDDI describes how to organize the information about a Web service and how to build repositories where such information can be registered and queried.
• Verticals. All the layers explained so far are generic. They standardise neither the contents of the services nor their semantics for example the meaning of a certain parameter or the effect of a certain operation. Vertical standards define specific interfaces, protocols, properties, and semantics that services offered in certain application domains should support. These vertical standards complement the previous layers by tailoring them to concrete applications, further facilitating the use of standard tools for driving the exchanges. Specifically, they enable the development of client applications that can interact in a meaningful manner with any Web service that is compliant with a certain vertical standard.
(Web Services – Concepts, Architectures and Applications Gustavo Alonso, Fabio Casati, Harumi Kuno, Vijay Machiraju, Springer Verlag, ISBN 3-540-44008-9 Copyright Springer Verlag Berlin Heidelberg 2004)
Web Services Technologies
Web Services is an integration web technology recommended by most of organisations that can be develop with coding and decoding of XML data. SOAP allows data to transfer messages between applications using open protocols. There are some other technologies uses to build Web Services such as HTTP, Service-Oriented Architecture (SOA), Universal Description Discovery and Integration (UDDI), Web Services Description Language (WSDL), are the technologies that use in Web Services. These technologies have been described below.
HTTP (HyperText Transfer Protocol) is a protocol that is mostly used by World Wide Web. HTTP defines the process in which messages are formatted and transmitted. Web servers and browsers use HTTP in order to run various commands.
A disadvantage of HTTP is that it is stateless protocols which execute each commend independently and it doesn't have knowledge of any command that runs before the current command. This problem has been resolved in modern technologies such as in cookies Java, Java Script and ActiveX.
(http://www.roseindia.net/webservices/Web-Services-technology.shtml 13/01/10 00:47)
Extensible Markup Language (XML) is a language that contains fundamental building blocks to move data in Web Services. WML platform is becoming stand setup for Web Services, it main focus on communication between application integration. Multiple XML Web Services are implementing in most Applications using various sources.
There are some various definitions of XML Web Service are described here as there however almost all definitions are similar to each other:
* XML Web Services provide valuable functionality to internet consumers using standard Web protocol. SOAP protocol is used in most services.
* The interface provides enough information to clients of XML Web Services users in order to build user friendly application. This feature of XML Web services is known as WSDL (Web Services Description Language) document.
* XML Web Services can be found easily by potential users as the services are registered, it can be done by using UDDI (Universal Discovery Description and Integration).
Wolter R (2001) defines a key advantage of XML Web Services as “One of the primary advantages of the XML Web services architecture is that it allows programs written in different languages on different platforms to communicate with each other in a standards -based way”. XML Web Services has advantage over its previous efforts by using standard protocols for XML, HTTP and TCP/IP. Many organisations have implemented Web Services and the cast to maintaining the services is less than earlier period of Web Services technologies.
Using XML Web Services information sources can be implemented to applications such as weather forecast, maps, stock quotes, sports scores, postal addresses, etc. For clients it's easier to visualize an entire class of applications to analyse and aggregate. The clients are present to update information at all the times in a different number of ways by using XML Web Services e.g. XML Web Service built in Microsoft Excel spreadsheet that provide the complete picture of a financial stocks, loans, mortgages, bank accounts, insurances etc. The information can be updated by using Microsoft Excel instead of updating whole Web Application. The most of the information can be updated free of cost however in some parts clients might required to subscribe the functions to update information, but the programming implemented in XML Web Services are more reliable and easier for their clients to use.
(XML Web Services Basics Roger Wolter http://msdn.microsoft.com/en-us/library/ms996507.aspx 27/12/09 03:21)
SOA (Service-Oriented Architecture) is a blueprint for developing Web applications based on front-end service and service bus, the applications are used in SOA are technology independent. SOA service is an element of software based implementation that presents business logic and information. SOA is a service that stats the functions of usage, and constraints services for clients. SOA interface is user friendly. Melanie A. (2007) describes front-end service application as “Application front-ends initiate a business process and receive the results. They can be a GUI (graphical user interface) such as a Web application, a client that interacts directly with end users, or even batch programs. The service repository stores the service contracts of the individual services of an SOA and the service bus interconnects the application front-ends and services”.
(Service-oriented Architecture and Web Services; March 2007 Melanie A. Allison Chief Technology Officer CalRHIO)
SOA framework offer organisations an integrated system that creates and manages its IT assets through business modal and simplifies applications. Some of the benefits to organisations are described below:
* Productive and Flexible: SOA has ability to develop the existing systems and its applications that increases the profit and production of the business. SOA furthermore allow new applications to facilitate cross functional capability development and its ability of interoperate between applications using development language and substantial underlying platforms.
* Cost-effectiveness and Speed: Designs of services can be used in multiple applications as the designs are standardised therefore an existing service can be developed in a new business and also combined into higher level. This decreases the cost and increase the speed in development of a business.
* Manageability and security: SOA has ability to protect existing applications as it enables clients to access service but it doesn't allow clients to access the applications that run behind those services. SOA provides excellent security to applications and it use strong model of authorization and authentication.
Web Services are most dominant way of presenting SOA in web applications. Web Services establish a strategy to implement SOA while SOA present the principles.
(Service-Oriented Architecture (SOA) Abhishek Agrawal Director - Business Development, Rightway Solution (India) Pvt. Ltd. www.rightwaysolution.com March 2009)
SOAP (Simple Object Access Protocol) is a fundamental messing service that sends and receives XML messages between Web Services and clients. W3C defines SOAP as, “a lightweight protocol for exchange of information in a decentralized, distributed environment.” SOAP presents a standard language for bring together the applications and services. A client sends “SOAP request” to Web Service and the Web Service respond to the request, the response called “SOAP response”. SOAP mainly used with HTTP however it can also be used with other protocols (Michael et al 2003).
(The Semantic Web: A Guide to the Future of XML, Web Services, and Knowledge Management, Michael C. Daconta Leo J. Obrst Kevin T. Smith 2003)
• SOAP envelope wraps a message.
• Description of encoded data.
• SOAP body (the actual message sent to application).
SOAP wraps a message in a method and posts it over HTTP to server then XML request parsed the method name and its parameters pass for processing. In return XML send response to client for the method call as a return value or as a fault value. To make use of return value client parse the response to XM Moore, 2001).
An introduction to the Simple Object Access Protocol (SOAP)
WSDL (Web Service Definition Language) allows service developers to provide basic information about the service so its clients can benefit it. WSDL is designed to use different types of systems such as RelaxNG, Java or XML Schema and it also support services to communicate over SOAP and other protocols such as in-memory calls, RMI/IIOP. WSDL defines services as a sum of network ports or endpoints. WSDL consists of two parts the abstract and the concrete part. The abstract part explains the operating behaviour of Web Services by counting passing through services and concrete part describes the implementation of Web Services. (weerawarana et al, 2005). Christensen et al (2001) describes “A WSDL document uses the following elements in the definition of network services:
* Types: a container for data type definitions using some type system (such as XSD).
* Message: an abstract, typed definition of the data being communicated.
* Operation: an abstract description of an action supported by the service.
* Port Type: an abstract set of operations supported by one or more endpoints.
* Binding: a concrete protocol and data format specification for a particular port type.
* Port: a single endpoint defined as a combination of a binding and a network address.
* Service: a collection of related endpoints”.
WSDL describes the messages that exchanges between Web Services and its clients. The messages itself described as abstractly and then combined with message format and concrete network protocol. The provider entity and requester entity
(Web Services Description Language (WSDL) 1.1Erik Christensen, Microsoft Francisco Curbera, IBM Research Greg Meredith, Microsoft Sanjiva Weerawarana, IBM Research W3C Note 15 March 2001 http://www.w3.org/TR/wsdl)
The requester entity and provider entity agree on services of WSDL document and interaction between them governed by its semantics. However the requester entity and provider entity does not have to communicate between each other but both entities must have good understanding of semantics and description of service (Tsenov 2004). Below are some proposed methods described:
* The provider entity and requester entity can communicate between each other on an agreed semantics and service description.
* The service description and semantics can be defined as provider entity must have to publish contracts and requester has to accept the unchanged conditions as”take-it-or-leave-it” basis.
* The serving standard agreement between both entities can be made by independent companies.
* The requester entity can publish its requirements for service description and semantics and published entity has to match requester's needs on a “take-it-or-leave-it” basis.
( Modeling network and web services resource using WSDL Martin Tsenov 2004)
UDDI (Universal Description, Discovery, and Integration) is a SOAP-based API for publishing and discovering Web services.
The publishing API allows service providers to register themselves and their services with a UDDI registry. A UDDI registry can be viewed as the yellow pages for Web services. UDDI registry nodes replicate Web services information among them to provide the same information from any node.
The discovery API allows service subscribers to search for available services. The UDDI registry provides the WSDL document allowing the consumer to use the Web service. The way a UDDI registry is searched is similar to how domain names are looked up in the Web using the DNS architecture.
(Web Services: Building the Next Generation of E-Business Applications Christophe Coenraets JRun Product Marketing Manager October, 2nd 2001)
The information stored in a UDDI registry can be parted into 3 categories. To understand what kinds of information are contained in a UDDI registry often there is an analogy with a telephone directory used: The white pages are listings of organisations, their contact information, and the Web Services they provide. This category allows a client to search for Web Services on the basis of businesses. The yellow pages describe a classification of companies and Web Services according to taxonomies. By using this category of UDDI information, a client can search for Web Services based on a wanted category. The green pages provide information on the way of invocating Web Services. A client seeking Web Services by their invocation methods can use a UDDI registry in this manner. As being used in the Web Services World, a UDDI registry is accessible as a Web Services and described by a WSDL document.
Use of Web Services
Software vendors are building support for Web Services into platforms, languages and tools. Web services enable any-to-any integration, supporting any programming language, any runtime platform, and any network transport. Technologies such as SOAP and WSDL are simpler to use than traditional integration middleware technologies, and they offer much more flexibility. When combined with domain-specific industry standards, Web services enable unprecedented dynamic interaction. Web Services can be used many types of applications. The One thing that's particularly useful about Web services is that you can use any Web services client environment to talk to any Web services server environment.Some of the companies use Web services are;
JPMorgan uses Web services to connect Excel spreadsheets to UNIX-based financial data. JPMorgan operates the global wholesale businesses for J.P. Morgan Chase. JPMorgan is a leader in investment banking, asset management, private equity, custody and transaction services, middle market financial services, and e-finance. The firm has financial analysts in more than 50 countries around the world. These analysts needed a way to upload and download financial, forecast, and other relevant data used in their spreadsheets to and from various legacy application systems.
Knowing that it's difficult to find a single-vendor solution that would allow it to connect Excel with various UNIX-based systems, JPMorgan decided to use Web services. Web services permit the firm to use the right tool for each side of the equation. JPMorgan created a set of Web services using Systinet's Web Applications and Services Platform (WASP) to enable easy access to the legacy applications. Now the financial analysts can access these services from Excel using Visual Basic for Applications (VBA) macros and the Microsoft SOAP Toolkit.
Con-Way Transportation Services uses Web services to support electronic exchange of shipping data with its customers and business partners. Con-Way is a $2 billion transportation company based in Ann Arbor, Michigan. More than two-thirds of its customers are small to medium-sized businesses. Con-Way wanted to provide these customers with a mechanism that would support tight integration with Con-Way's transportation systems. The challenge was that these customers use a variety of transportation applications on a variety of deployment platforms. Con-Way realized that it didn't have the option of asking these customers to install a proprietary API with limited deployment options to support integrated Con-Way business transactions. Instead Con-Way developed a set of Web APIs using IBM WebSphere. These APIs support invoicing, bill of lading, order pickup, and sales management services. Customers can interface with these services through the Con-Way Web site or use the Web APIs to connect directly from their corporate application systems. The Web APIs support any type of client application-in-house applications as well as packaged applications.
Wachovia uses Web services to support both browser based clients and rich desktop clients for Einstein, its customer information system. Wachovia is a leading provider of financial services, with nine million U.S. customer households. Einstein is a GUI application that gives bank staff complete information about a customer, aggregating information from multiple backend systems. Some bank staff uses a browser to access Einstein. Others require a richer desktop interface.
As shown in , Einstein was developed as a multitier Web service application. The backend business functions and data sources are legacy applications implemented in CICS and DB2 on the mainframe. The middle tier, which accesses and aggregates the customer information, is implemented as a set of J2EE Web services using IBM WebSphere. The client environments are implemented using Microsoft .NET. The browser client is implemented using Microsoft .NET Web Forms, and the desktop client is implemented using Microsoft .NET Win Forms. Einstein's architecture also allows Wachovia to implement other types of client interfaces to support IVR systems, wireless handsets, two-way pagers, and other devices.
Einstein supports browser and rich desktop clients, allowing Wachovia to support other devices if needed. Written using .NET, Einstein aggregates information from numerous CICS-based backend systems via Web services implemented using WebSphere.
Amazon Web Services
Amazon Web Services (AWS) is an Amazon service that provides direct access to Amazon's technology platforms. With AWS users can create websites, applications or tools based on the solid and reliable Amazon platform.
The Amazon.co.uk Associate area of Amazon Web Services is called Amazon E-Commerce Services (ECS). With ECS Amazon.co.uk Associates can access Amazon.co.uk product information and the functions of the Amazon.co.uk websiteat no costand inreal time.
ECS enables Amazon.co.uk Associates to access the catalogue information for Amazon.co.uk via an interface. This information includes:
* Title, author, artist, actor, etc.
* Cover (various sizes)
* Latest price (Amazon and Marketplace prices)
* Reviews and customer reviews
ECS enables Amazon.co.uk Associates to access the functions of the Amazon website, such as:
* Amazon Remote Shopping Cart on client's website
* List of similar items to the item requested
* List of accessories to the item requested
* Amazon ordering process client's website with client's personal touches (Co-Branded Order Pipeline)
As a website owner clients can integrate the functions and content of Amazon.co.uk seamlessly into clients own website. Clients can update their website with the latest information about Amazon products, sell Amazon products on their website and create customised links and dynamic advertisements.
Many of the more than 180,000 AWS developers use Amazon Web Services to develop efficient and productive applications for other Amazon customers, retailers, Associates and website owners.
PayPal enables any individual or business to pay and get paid online safely and easily from around the world. If a customer wants to make a payment on some business website but is not satisfy giving his card detail due to security reason than introduction to PayPal in this website can do this goal more securely and according to customer satisfaction.
PayPal is a Web Service which is used to send, accept or refund money without going in depth detail of credit & debit card verification over the internet. Any business website can easily add this service to its webpage by calling some APIs of XML. The only requirement of the PayPal is that the customer has to open an account in the PayPal website which is very secure and it's only for first time, after that payment can be send and receive only with email address to any website which uses PayPal web Service. The entire payment authentication is verified by PayPal.
Normally, users buy and sell items using the eBay online interface, interacting with eBay directly. But with the eBay API, which communicate directly with the eBay database in XML format. By using the API, applications can provide a custom interface, functionality and specialised operations not otherwise afforded by the eBay interface.
Using the API, users can create programs that:
* Submit items for listing on eBay
* Get the current list of eBay categories
* View information about items listed on eBay
* Get high bidder information for items you are selling
* Retrieve lists of items a particular user is currently selling through eBay
* Retrieve lists of items a particular user has bid on
* Display eBay listings on other sites
* Leave feedback about other users at the conclusion of a commerce transaction
Because the API is not dependent on the eBay user interface, it allows user to create stable, custom functionality and interfaces that best meet their business needs.
For instance, user can automate the process of listing and monitoring auctions. There is no need to parse eBay pages that change frequently, breaking applications. A seller has access to more tools they can use to sell better and faster.
Extract user information from eBay and automate the end auction management process and delivery to eBay sellers and buyers.
After joining the Developers Program, user will have access to the Developer Zone, a password-protected Web site for members only. The Developer Zone is the primary source for technical documentation and specifications, DTD files that define the XML input and output for the API, tools for creating and certifying your application and a full suite of additional technical resources Security
Companies worldwide are deploying Web Services through internet protocol and they are facing a number of different threats to Web Services which involves threats to the host system including the application and the whole network infrastructure. To secure Web Services a set of security requirements of Web Services XML based security system is required to handle related issues. There are some security requirements of Web Services applications such as authorization, authentication, distributed security policy enforcement, access control and message layer security.
(eTrust™ TransactionMinder®: Securing Web Services. Computer associates (March 2005).white paper)
XML Web Services enables applications to communicate more effectively without having to work out the underlying mechanics of the communication. However, Web Services standards do not completely address security for XML Web Services. The use of XML and Web Services can pose serious risk if security is not properly addressed from the beginning. Current security schemes must be updated to handle the new class of communications that Web Services enables. Current technologies can be used to secure highly controlled Web Service networks but are not able to scale to mission critical environments.
The use of Web Services can generate serious security risk if implementation of security doesn't apply from the beginning. The lack of security in Web Services can expose a number of risks, Network firewalls do not provide protection. Web services interfaces provide much more functionality to internal and external threats then required functionality. Web Services interfaces are heterogeneous and complex which enables different types of security breaches, different applications can communicate using Web Services all together. Technologies and standards are changes rapidly with small unification; some organisations do not change security setting for a particular standard.
There are four crucial security requirements for web based communication; Authentication, Authorization, Data Privacy and Data Integrity are also fundamental to the secure communication of XML Web Services.
Authentication is verifying the identity of the sender or receiver. Credentials are embedded in either the headers or body of the SOAP message. Standard Web technologies using passwords, X.509 certificates, Kerberos, LDAP and Active Directory can be used to authenticate service requestors. Both service requestors and providers should be authenticated for sensitive communication. Even WSDL file delivery should be authenticated as WSDL files can be spoofed.
Authorization is critically important because Web Services can introduce complex levels of access. In addition to authorizing what information users/applications have access to, there also needs to be authorization of which operations an application or user has access rights to perform.
Standard SSL encryption using HTTPS allows point-to-point data privacy between service requestors and service providers. However, in many cases, the service provider may not be the ultimate destination for the message. A service provider may act as a service requestor, sending pieces of information to multiple services. The XML Encryption standard permits encryption of portions of the message allowing header and other information to be clear text while leaving the sensitive payload encrypted. Sensitive information can then be left encrypted to the ultimate destination, allowing true end-to-end data privacy.
Digital signatures can be used to verify if a message has been tampered with. A service requestor can sign a document with the sender's private key and send it along with the payload of the message. The service provider can then verify the signature with the sender's public key to see if any portion of the document has been compromised. Thus systems can ensure data integrity when communicating with each other. The XML Signature standard provides a means for signing parts of XML documents, providing end-to end data integrity across multiple systems.