Almost by definition, security is a hard-to-use feature—in contrast to Web services, which are fairly easy to implement and understand. In the first version of most SOAP toolkits, security was an afterthought that was handled almost entirely by the transport of the SOAP message. For example, encryption was covered by SSL (Secure Sockets Layer) over HTTP.

We need to be able to encrypt, sign, and authenticate messages. This means that the security information of the SOAP message must be baked into the SOAP message itself. This chapter covers cryptography and a specific security technology available for use with Web services: WS-Security. It also examines how the Web Services Enhancements for Microsoft ...