web services security

How you secure web services depends on whether they are intranet or internet facing.

Internet Facing Services

For an internet facing web service, you need message level encryption. The encryption key can be a simple username – however, as a best practice it is better to use certificate based public keys. The public key can be requested by anyone directly from the host – once available, all messages are encrypted using this public key. The public key can only encrypt- not decrypt any messages. The private key is only available to the host – so the host is able to decrypt the message successfully. Once decrypted, the host scans the message for the username, which it then uses to authenticate the service.

INTRANET Facing Services

These do not need message level encryption. Simply using windows identify (windows auth) should successfully allow the client credentials to be authenticated. One can use Windows-based security for transfer security, authentication,and authorization. The client process (which uses a service proxy to call the service) automatically knows it has to send its windows credentials to the service (the service configures this in the endpoint configuration).

Authenticate end users – Two-Way Certificates

One way to ensure that your end client is truly your end client is to distribute a certificate that you create and maintain – purely for end user authentication purposes. This is different from the server certificate – which identifies, not the end user, but the actual website that is hosting the web service.  This requires the host (server) to maintain a list of issued certificates (a local Certificate Authority in a sense).  This can quickly become unmanageable as the number of end users grows. However, it is a super-secure model – as it is impossible for either the clients or the server to bypass trust.


: Web Services can be secured using a combination of the following:

  1. Transport Layer Security—SSL.
  2. XML Encryption (Confidentiality)
  3. XML Signature (Integrity, Authenticity)
  4. WS-Security.
  5. WS-Security Tokens. Username. X.509 Certificate. Kerberos Token. SAML Token.
  6. WS-Policy.
  7. WS-SecurityPolicy.

Cloud Advisory Services | Security Advisory Services | Data Science Advisory and Research

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (dell.com, British Petroleum, Schlumberger).

All content on this site is original and owned by AdverSite Web Holdings, Inc. – the parent company of anujvarma.com. No part of it may be reproduced without EXPLICIT consent from the owner of the content.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *