O'Reilly logo

SOA in Practice by Nicolai M. Josuttis

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

SOA Security in Practice

In practice, security is very often neglected, for several reasons:

  • Security requires effort.

  • It is impossible to achieve absolute security (except by disconnecting distributed systems).

  • You might assume that the usual security mechanisms for the Internet (firewalls and special protocols such as SSL) are enough.

  • You might assume that SOA infrastructures usually provide enough security.

  • It is not clear whether security is an issue for the infrastructure team or the business teams.

The following subsections will discuss these topics, directly or indirectly.

Infrastructures Don't Provide Sufficient Security

In general, you should not assume that infrastructures (the Internet, Web Services, or any other middleware) deal with security in such a way that you don't have to think about it any longer.

The first problem is that there might be a lack of conceptual support. For example, the fundamental Web Services protocol doesn't deal with security: it was designed to provide connectivity. As [PulierTaylor06] claims about Web Services standards:

The new standards were also developed without security in mind . . . .None of these Open Standards (XML, SOAP, WSDL, and UDDI) contain any inherent security aspects of their own. If left alone, they are completely nonsecure. In fact, web services were designed to move efficiently through firewalls.

Similarly, process-modeling standards such as BPEL so far have no concept for composing and aggregating security concepts when they compose ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required