Chapter 6. Protecting confidentiality of messages using encryption
This chapter covers
- Public key infrastructure
- JCE and Apache XML security
- Certificate authorities
In the preceding chapters, we’ve seen how to extend SOAP via headers. In particular, we saw how to add user credentials so that the application can determine whether the request came from a genuine user. We introduced various techniques to secure credentials so that they cannot be misused by any party listening over the wire or by the service providers themselves.
There is more to security than mere authentication. Imagine that you are requesting a brokerage firm to buy some shares using the funds you have in a bank account. The firm requires you to authenticate with username and password. Suppose you use the digest mechanism so that password is not available to the eavesdropper. Is that enough? Wouldn’t you also want to safeguard the bank account information you are providing?
What this scenario points out is that we need a way to encrypt the message so that only the intended recipient can understand it. Traditionally, this task is accomplished by encrypting the whole message. As we mentioned in chapter 1, straightforward encryption of the whole message is not good enough to meet the requirements of SOA. Instead, a mechanism is needed to encrypt different parts of a message differently.