Web Services Security

Purpose

Security is one of the main prerequisites when using Web services in an enterprise. Security measures generally concern both the protection of individual servers through authentication, authorization, and encryption as well as the sealing off of an internal infrastructure using firewalls. Security measures for integrated e-business scenarios must be more diverse since they concern the protection of individual services and data.

Security at transport level can be ensured by means of mechanisms used on the Internet. HTTPS sets up an encrypted connection between the client and the server and is suitable for simple situations – for example, when a client communicates directly with a single server. Every single message is sent via an encrypted channel.

This feature of HTTPS, that each message is encrypted, has two disadvantages.

Firstly, many messages have to be encrypted and decrypted on a single server simultaneously. This can have a negative effect on system performance. Furthermore, the information provided using a Web service is not always confidential and must therefore not always be encrypted.

Secondly, a SOAP interaction is not always a point-to-point connection. More than two SOAP nodes can be involved. The additional intermediate nodes obtain information about actions to be executed from the SOAP header. This is not possible in the case of a complete encryption using HTTPS.

At message level, an encryption and signature concept with fine granularity is possible. Here, not the transport canal but the message itself is protected. 

WS Security (OASIS WS Security) is a security model based on SOAP message transfer. WS Security essentially integrates XML Encryption and XML Signature. 

There are several security mechanisms available on the SAP J2EE Engine:

·        Secure communication using SSL

·        Document Security (XML signature and XML encryption)

·        Authenticating the client

·        Assigning authorizations

Secure Transmission

WS Security

Authentication

Authorization