Q

Why can't I just use SSL to protect my Web services?

Why can't I just use SSL to protect my Web services?
The Secure Sockets Layer, SSL, may be used in certain, restricted cases for protecting a Web services message on the wire. However, SSL has a number of limitations when it is used with Web services. First, SSL is a point-to-point protocol, that is, at each step the message is decrypted and a new SSL connection is set up. If a message goes through multiple intermediates, which is expected behavior in Web services, then the message will be exposed to each intermediate, which may be a severe vulnerability. Second, SSL encrypts the whole message, which will be expensive for a large message, whereas Web services security supports encrypting selected parts of the message. Third, SSL does not support authorization, whereas there are Web services specifications that specifically support authorization, such as the eXtensible , Access Control Markup Language, XACML. Fourth Web services security is XML based which is the language of Web services, making it a more congruent fit. That said, there are times when SSL is an alternative to Web services security and is recommended to be used in conjunction with Web services security in certain cases.
This was first published in May 2003

Dig deeper on Web Services Security and SOA Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close