A web service is an application that exposes some type of functionality using a platform-independent interface. Enterprises use web services as a mechanism for allowing their applications to cross network boundaries and communicate with those of their partners, customers and suppliers. Web services are accessed by sending a request to one of the service's defined endpoints. The following open technologies are used to allow this access.
Web Services Definition Language (WSDL) is a variant of the eXtensible Markup Language (XML) that is used to describe the public interfaces for a web service. Specifically, this includes the protocol bindings, service endpoints (identified by URLs), and message formats required to interact with it. Once defined, a web service's WSDL description file is published to a worldwide directory of services allowing it to be accessed over the Internet. The directory might use Universal Description, Discovery, and Integration (UDDI) although alternate forms are available.
Data exchanged with a web service (requests sent to it and responses received from it) is formatted using XML.
The XML requests and responses generally conform to the SOAP messaging standard.
SOAP messages are transported between applications using HTTP although File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP) and Extensible Messaging and Presence Protocol (XMPP) can also be used.
The built-in openness of these technologies unfortunately though creates security risks. The following security requirements have been identified and must be supported to insure that the communications between a web service provider (WSP) and a web service client (WSC) are not compromised.
Data integrity and confidentiality during transport
Authentication of the sending entity
Message uniqueness
Securing web services communications was initially addressed on the transport level, relying on securing the HTTP transmissions themselves using Secure Sockets Layer (SSL). This is not adequate though when access to an application is requested through an intermediary. The solution to this is to encrypt the entire request using message level security before it is sent. In message level security, security information is contained within the SOAP message or attachment, making it independent of the transport level security. The request may then securely pass through multiple intermediaries before reaching its intended receiver for decryption. The following illustration depicts message level security.