Service-oriented architecture (SOA) allows different ways to develop applications by combining services. The main premise of SOA is to erase application boundaries and technology differences. As applications are opened up, how we can combine these services securely becomes an issue. Traditionally, security models have been hardcoded into applications and when capabilities of an application are opened up for use by other applications, the security models built into each application may not be good enough.
Several emerging technologies and standards address different aspects of the problem of security in SOA. Standards such as WS-Security, SAML, WS-Trust, WS-SecureConversation and WS-SecurityPolicy focus on the security and identity management aspects of SOA implementations that use Web services. Technologies such as virtual organization in grid computing, application-oriented networking (AON) and XML gateways are addressing the problem of SOA security in the larger context.
XML gateways are hardware or software based solutions for enforcing identity and security for SOAP, XML, and REST based web services, usually at the network perimeter. An XML gateway is a dedicated application which allows for a more centralized approach to security and identity enforcement, similar to how a protocol firewall is deployed at the perimeter of a network for centralized access control at the connection and port level.
XML Gateway SOA Security features include PKI, Digital Signature, encryption, XML Schema validation, antivirus, and pattern recognition. Regulatory certification for XML gateway security features are provided by FIPS and United States Department of Defense.
Books on SOA Security
- Kanneganti, Ramarao; Prasad A. Chodavarapu (2007). SOA Security. Manning Publications. ISBN 1-932394-68-0.
- Rosenberg, Jothy; David Remy (2004). Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption. SAMS. ISBN 0-672-32651-5.
- Hartman, Bret; Donald J. Flinn; Konstantin Beznosov; Shirley Kawamoto (2003). Mastering Web Services Security. Wiley. ISBN 0-471-26716-3.
- O'Neill, Mark (2003). Web Services Security. McGraw-Hill Osborne Media. ISBN 0-07-222471-1.
- Understanding SOA Security Design and Implementation : Understanding SOA Security Design and Implementation