Chapter 8. Implementing security as a service

In part II, you saw some of the technological building blocks needed to implement security for web services: authentication, encryption, and signatures. If you are going to secure only a few simple services, what you have learned up to this point should hold you in good stead. For example, if you are an application developer simply seeking to secure the services offered by your back-end modules to your front-end modules, you already know enough to get your work done.

If you are developing or implementing an enterprise-class SOA security solution, there are a few more fundamental pieces that are needed to develop full-fledged frameworks, strategies, and architectures.^[1] In particular, we must address the security management issues that we described in the first chapter. To recap, enterprise SOA security solutions need to address the following concerns:

¹ Kerberos, described in chapter 5, can by itself provide the basis for an enterprise-class security framework. The use of Kerberos across trust domains (enterprises, or even divisions within enterprises) is rare. We need alternate security mechanisms that scale within and beyond an enterprise.

8.1. Security as a service

8.2. Analyzing possible uses of a security service

8.3. Conveying the findings of a security service: SAML

8.4. Example implementation using OpenSAML

8.5. Standards for security service interfaces

8.6. Summary

Suggestions for further reading