Ask the Expert

Why can't I just use SSL to protect my Web services?

Why can't I just use SSL to protect my Web services?

    Requires Free Membership to View

The Secure Sockets Layer, SSL, may be used in certain, restricted cases for protecting a Web services message on the wire. However, SSL has a number of limitations when it is used with Web services. First, SSL is a point-to-point protocol, that is, at each step the message is decrypted and a new SSL connection is set up. If a message goes through multiple intermediates, which is expected behavior in Web services, then the message will be exposed to each intermediate, which may be a severe vulnerability. Second, SSL encrypts the whole message, which will be expensive for a large message, whereas Web services security supports encrypting selected parts of the message. Third, SSL does not support authorization, whereas there are Web services specifications that specifically support authorization, such as the eXtensible , Access Control Markup Language, XACML. Fourth Web services security is XML based which is the language of Web services, making it a more congruent fit. That said, there are times when SSL is an alternative to Web services security and is recommended to be used in conjunction with Web services security in certain cases.

This was first published in May 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: