Web Services Security

I recently bought Mark O’Neil, et al. “Web Services Security” book that I read on my way back from JavaOne.

This is an excellent book that everybody dealing with SOA MUST read. We too often hear people mixing up SAML and WS-Security (this was my case anyway) and forgetting about XACML and XKMS.

The first part provides a clear WS introduction and reminds, if needed, the basic security concepts: confidentiality, integrity, nonrepudiation, authentication and authorization. All those concepts are very well illustrated with good examples.

The second part of the book is dedicated to XML security; this is a book about Web Services security after all. I found the chapters about SAML, XACML and XKMS very useful. I must recognize that I only had a surface knowledge about SAML and that I did not know anything about XACML and XKMS.

The third part provides more details about WS-Security. Once again this is good to be reminded about the basic standards on which WS-Security relies i.e. WS-Policy, WS-Trust, WS-Privacy, WS-SecureConversation, WS-Federation and WS-Authorization.

The last parts talk about .Net and passports and provide plenty of examples and case studies.

To summarize, this is an excellent book that is easy to read and that should raise IT consultants’ security awareness. I highly recommend it.

One little remark made in the book that I liked very much is that “Web Services” should be named “Net Services”. This is certainly true that Services are not only exposed over the internet. The name “Net Services” would moreover have been less misleading than “Web Services” when it comes to transport. Indeed people too often forget that SOAP is transport agnostic.

Finally this book helped me better understand where authorization policies should be decided and enforced. I now realize that authorization policy enforcement should not be done at the service level but kept outside the service realm.