How you secure web services depends on whether they are intranet or internet facing.
Internet Facing Services
For an internet facing web service, you need message level encryption. The encryption key can be a simple username – however, as a best practice it is better to use certificate based public keys. The public key can be requested by anyone directly from the host – once available, all messages are encrypted using this public key. The public key can only encrypt- not decrypt any messages. The private key is only available to the host – so the host is able to decrypt the message successfully. Once decrypted, the host scans the message for the username, which it then uses to authenticate the service.
INTRANET Facing Services
These do not need message level encryption. Simply using windows identify (windows auth) should successfully allow the client credentials to be authenticated. One can use Windows-based security for transfer security, authentication,and authorization. The client process (which uses a service proxy to call the service) automatically knows it has to send its windows credentials to the service (the service configures this in the endpoint configuration).
: Web Services can be secured using a combination of the following:
- Transport Layer Security—SSL.
- XML Encryption (Confidentiality)
- XML Signature (Integrity, Authenticity)
- WS-Security Tokens. Username. X.509 Certificate. Kerberos Token. SAML Token.