web services security

How you secure web services depends on whether they are intranet or internet facing.

Internet Facing Services

For an internet facing web service, you need message level encryption. The encryption key can be a simple username – however, as a best practice it is better to use certificate based public keys. The public key can be requested by anyone directly from the host – once available, all messages are encrypted using this public key. The public key can only encrypt- not decrypt any messages. The private key is only available to the host – so the host is able to decrypt the message successfully. Once decrypted, the host scans the message for the username, which it then uses to authenticate the service.

INTRANET Facing Services

These do not need message level encryption. Simply using windows identify (windows auth) should successfully allow the client credentials to be authenticated. One can use Windows-based security for transfer security, authentication,and authorization. The client process (which uses a service proxy to call the service) automatically knows it has to send its windows credentials to the service (the service configures this in the endpoint configuration).


: Web Services can be secured using a combination of the following:

  1. Transport Layer Security—SSL.
  2. XML Encryption (Confidentiality)
  3. XML Signature (Integrity, Authenticity)
  4. WS-Security.
  5. WS-Security Tokens. Username. X.509 Certificate. Kerberos Token. SAML Token.
  6. WS-Policy.
  7. WS-SecurityPolicy.

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (dell.com, British Petroleum, Schlumberger).
Anuj also offers a 1-day ‘technology crash course’ focused on cloud technologies for executives.
For Anuj’s specialized one-on-one executive seminars, visit ExecutiveTechnologySeminars
All content on this site is original and owned by anujvarma.com.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *