Chapter 3. Extending SOAP for security
This chapter covers
- Extending SOAP with Headers
- WS-Security with JAX-RPC handlers
- SOAP intermediaries and WS-Addressing
Chapters 1 and 2 provided the background needed to start exploring SOA security. In chapter 1, you learned the basics of SOA and how it impacts security by lowering the barriers between applications. In chapter 2, you reviewed the basics of the most popular approach to realizing SOA—creating and consuming SOAP-based web services. What you have not seen yet is how SOAP can address the security concerns expressed in chapter 1.
SOAP does not address any security issues directly. In fact, it does not directly address other common requirements such as reliability or transactionality, either. SOAP simply provides a mechanism by which it can be extended to address additional concerns such as security, reliability, and transactionality. Is this a good idea? Shouldn’t something as fundamental as security be addressed in the base SOAP specification itself? We’ll answer this question first up in this chapter. Once we do that, we will describe the header-based extension mechanism SOAP provides and introduce WS-Security, a standard extension for security in SOAP.