We can forgive the Web Services stack some of its transgressions (like WSDL) providing the stack can deliver some value that the Web cannot. Security, reliability, and transactions were values deeply enshrined in the Web Services psyche early on by some of its more influential corporate backers to make interactions between Web Services as robust as traditional enterprise middleware.
This was a worthy and important goal, and it’s interesting to see how these fundamental tenets are supported in the WS-* stack. It’s also useful to understand how the Web achieves similar outcomes with quite different means.
Web Services security encompasses a suite of XML cryptographic techniques to provide a secure end-to-end mechanism for transferring SOAP messages between services. WS-Security allows the sender of a message to sign and/or encrypt any part or the whole of the outgoing message so that it can’t be tampered with and/or read while it’s in transit, while higher-order protocols allow us to establish domains of trust, negotiate credentials, and so on.
What’s interesting about the WS-Security model is that it is truly end-to-end, based on public key cryptography. The WS-Security components are installed and configured inside a service’s SOAP stack, and the security capabilities that the Web Service supports can be advertised in the WS-SecurityPolicy document associated with the service’s WSDL. Once a consumer locates some service metadata, ...