How you secure web services depends on whether they are intranet or internet facing.
Internet Facing Services
For an internet facing web service, you need message level encryption. The encryption key can be a simple username – however, as a best practice it is better to use certificate based public keys. The public key can be requested by anyone directly from the host – once available, all messages are encrypted using this public key. The public key can only encrypt- not decrypt any messages. The private key is only available to the host – so the host is able to decrypt the message successfully. Once decrypted, the host scans the message for the username, which it then uses to authenticate the service.
INTRANET Facing Services
These do not need message level encryption. Simply using windows identify (windows auth) should successfully allow the client credentials to be authenticated. One can use Windows-based security for transfer security, authentication,and authorization. The client process (which uses a service proxy to call the service) automatically knows it has to send its windows credentials to the service (the service configures this in the endpoint configuration).
Authenticate end users – Two-Way Certificates
One way to ensure that your end client is truly your end client is to distribute a certificate that you create and maintain – purely for end user authentication purposes. This is different from the server certificate – which identifies, not the end user, but the actual website that is hosting the web service. This requires the host (server) to maintain a list of issued certificates (a local Certificate Authority in a sense). This can quickly become unmanageable as the number of end users grows. However, it is a super-secure model – as it is impossible for either the clients or the server to bypass trust.
: Web Services can be secured using a combination of the following:
- Transport Layer Security—SSL.
- XML Encryption (Confidentiality)
- XML Signature (Integrity, Authenticity)
- WS-Security Tokens. Username. X.509 Certificate. Kerberos Token. SAML Token.