By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Why can't I just use SSL to protect my Web services?
The Secure Sockets Layer, SSL, may be used in certain, restricted cases for protecting a Web services message on the wire. However, SSL has a number of limitations when it is used with Web services. First, SSL is a point-to-point protocol, that is, at each step the message is decrypted and a new SSL connection is set up. If a message goes through multiple intermediates, which is expected behavior in Web services, then the message will be exposed to each intermediate, which may be a severe vulnerability. Second, SSL encrypts the whole message, which will be expensive for a large message, whereas Web services security supports encrypting selected parts of the message. Third, SSL does not support authorization, whereas there are Web services specifications that specifically support authorization, such as the eXtensible , Access Control Markup Language, XACML. Fourth Web services security is XML based which is the language of Web services, making it a more congruent fit. That said, there are times when SSL is an alternative to Web services security and is recommended to be used in conjunction with Web services security in certain cases.