Securing Web Services Using TransactionMinder
Web services are the hottest topic in the software industry now-a-days. Many corporations have started tasting the essence of Web services and experimenting in the Intranet level before exposing them to the Web. Several questions might arise in the mind of every software people; for example, what are Web services, are they secure enough, and how do they benefit software vendors and customers?
Web Services Defined
Web services are loosely coupled software components, which are exposed by companies over the Internet to their employees, business partners, and so forth. A Web service could be a small business component designed to accomplish a particular task, or a whole business application. These Web services can be generally exposed by companies simply through a Web site portal.
Here is a simple example for a Web service. A customer might want to know the price of a particular model of a computer. The Web service running at the service provider's site receives the request from the customer, processes the request, and sends the response (the price of that model) back to the customer. The Web service could be as complex as a workflow containing multi-step transactions as well.
Web services are playing an important role in Service Oriented Architecture. They are invoked over the Internet by an industry-standard protocol, namely SOAP (Simple Object Access Protocol), and are defined using WSDL (Web Services Description Language). By publishing businesses as Web services, will open up new and great opportunities with business partners, generate new stream of revenues, cut development costs, and reduce maintenance efforts.
Need for Securing Web Services
While the popularity of Web services continues to grow because it creates unparalled opportunities to increase the revenues and lower integration costs, it also poses a major challenge in terms of security. The Web services are not invoked by typical HTTP Web browsers, but by standalone client applications. Because the session information is unavailable in the server, it may not be possible for the Web service to identify the user, who sends the request. This would cause a loophole that some unauthorized person might use the Web service when they are not supposed to do so. So, it becomes mandatory now that the user must be authenticated at first and his/her authorization for accessing the service should be verified.
A SSL (Secure Socket Layer)-based security algorithm may be used for securing the communication between server and client application. But, SSL operates at the transport-layer level and secures the exchange of XML messages used in Web services. To offer a fine-grained access to services, the XML messages used in Web services must include security information that goes beyond the transport layer.
Transport-layer security enables only the point-to-point sessions. When a Web service contains a multi-step transaction, the XML messages may be routed through many Web servers to complete the transaction. Each intermediary involved in the transaction might be a Web service and hosted by many service providers. The intermediaries might get the security information from the incoming service request and need to provide additional security information that is needed by next intermediary.
Transport layer security falls short of such requirements. Netegrity provides a new solution, called TransactionMinder, supporting content level, XML-based security.
TransactionMinder—A Brief Overview
TransactionMinder is a security product from Netegrity, which is famous for its SiteMinder product. While SiteMinder provides controlled access to the Web-based document, TransactionMinder secures the Web services.
TransactionMinder is a policy-based platform for securing the XML messages used in Webservices. It is designed to be independent of the transport protocol and messaging framework being used. It is built on SiteMinder's infrastructure, using special XML agents in conjunction with SiteMinder Policy Server.
Important Components Involved
TransactionMinder solution has two important components, namely XML agent and a Policy server.
The TransactionMinder XML agent is a component built upon the existing SiteMinder Web agent. Whereas Web agent is used for identifying the user credentials and thereby offers controlled access to Web-based documents, the XML agent intercepts the incoming XML message sent to the protected Web service, and interacts with the policy server, which would be able to service the request using policy-based services. The developers could extend the functionality of XML agent and easily integrate it with other custom Web services environments.