Web Services Security Tutorial

A Web Services Security Overview and Implementation Tutorial. Presented at OMG Distributed Objects and Components Security (DOCSec) Conference 2003, Baltimore, MD, USA, April 2003

This tutorial provides an assessment of the various security concerns and implications for XML Web Services, and the different means to address them.
A framework is presented outlining the variety of measures and approaches for achieving end-to-end security for Web Services, leveraging any preexisting security environments where possible.
The various technical security aspects of authentication, authorization, confidentiality and integrity are explored, along with how they affect Web Services and how they relate to the business-driven security concepts of identity, single-sign-on, privacy, trust and non-repudiation.
An overview is provided of the emerging XML security standards such as XML Digital Signatures (XML-DSIG), XML Encryption, Security Assertions Markup Language (SAML) and WS-Security, including how they combine to address the fundamental security requirements of line-of-business Web Services.
Examples are shown of a common technique for implementing the security requirements for a Web Service application through the use of custom or pre-built client-side and server-side interceptor plugins, in a manner similar to existing Aspect-oriented programming concepts.
Finally, some lessons from the initial experiences implementing and using Web Services security are provided, along with advice and guidance for future projects.