Web Services Security

A common question that is asked is how security is implemented in Web Services.

I am copying the overview from this article

Overview of Information Security
It is important to have a general understanding of information security prior to addressing elements of web services security. There are six general security services that encompass the various functions required of a security facility. These can also be considered as requirements that define information security:

1. Authentication: Ensures that the sender and receiver are who they claim to be. Mechanisms such as username/password, smart cards, and Public Key Infrastructure (PKI) can be used to assure authentication.
2. Authorization or Access Control: Ensures that an authenticated entity can access only those services they are allowed to access. Access control lists are used to implement this.
3. Availability: Requires that uninterrupted services are provided to authenticated and authorized users.
4. Confidentiality: This assures that information in storage and in-transit are accessible only for reading by authorized parties. Encryption is used to assure message confidentiality.
5. Integrity: Ensures that information, either in storage or in-transit cannot be modified intentionally or unintentionally. Digital signatures are used to assure message integrity.
6. Nonrepudiation: Requires that neither the sender nor the receiver of a message be able to legitimately claim they didn't send/receive the message.

I am listing some of the other interesting articles that I found on  this subject

• This article is a good place to start at.
• This one by Axis covers the different types of attacks.
• This one shows the solution in code.

 Some important excerpts from this article are copied below

WS-Security from OASIS defines the mechanism for including integrity, confidentiality, and single message authentication features within a SOAP message. WS-Security makes use of the XML Signature and XML Encryption specifications and defines how to include digital signatures, message digests, and encrypted data in a SOAP message.

Security Assertion Markup Language (SAML) from OASIS provides a means for partner applications to share user authentication and authorization information. This is essentially the single sign-on (SSO) feature being offered by all major vendors in their e-commerce products. In the absence of any standard protocol on sharing authentication information, vendors normally use cookies in HTTP communication to implement SSO. With the advent of SAML, this same data can be wrapped inside XML in a standard way, so that cookies are not needed and interoperable SSO can be achieved.