Overview of Message Security

Java EE security is easy to implement and configure, and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and only protect data while it is residing in the application environment. In the context of a traditional application, this is not necessarily a problem, but when applied to a web services application, Java EE security mechanisms provide only a partial solution.

The characteristics of a web service that make its security needs different than those of other Java EE applications include the following:

Loose coupling between the service provider and service consumer

Standards-based (read Web Services Security Initiatives and Organizations for a discussion of web services security initiatives and organizations)

Uses XML-formatted messages and metadata

Highly-focused on providing interoperability

Platform and programming language neutral

Can use a variety of transport protocols, although HTTP is used most often

Supports interactions with multiple hops between the service consumer and the service provider

Some of the characteristics of a web service that make it especially vulnerable to security attacks include the following:

Interactions are performed over the Internet using transport protocols that are firewall friendly.

Communication is often initiated by service consumers who have no prior relationship with the service provider.

The message format is text-based.

Additionally, the distributed nature of web service interactions and dependencies might require a standard way to propagate identity and trust between application domains.

There are several well-defined aspects of application security that, when properly addressed, help to minimize the security threat faced by an enterprise. These include authentication, authorization, integrity, confidentiality, and non-repudiation, and more. These requirements are discussed in more detail in Characteristics of Application Security.

One of the methods that can be used to address the unique challenges of web services security is message security. Message security is discussed in this chapter which includes the following topics: