It's always possible to design and implement an application's own security handling for Web services — as for any form of data exchange — but that's a risky approach, because even a minor and obscure oversight can lead to serious vulnerabilities.One of the main benefits of SOAP compared to simpler forms of data exchange is that it allows for modular extensions.Security has been a major focus for extensions almost since SOAP's initial release, resulting in the standardization of WS-Security and related technologies that allow security to be configured for each service as appropriate.Requirements for security in information exchange generally have three aspects: WS-Security lets you easily address all three aspects.* * @param attribute Authority Descriptor * @throws Validation Exception */ protected void validate Attribute Services(Attribute Authority Descriptor attribute Authority Descriptor) throws Validation Exception /** * Validate that required children are present.
(Think Enigma and the German military communications in World War II, for example.)Public-key cryptography is an inherently different approach to security that doesn't require a shared secret.* * @param sig Impl the signature implementation object to validate * @throws Validation Exception thrown if the signature is not valid with respect to the profile */ protected void validate Signature Impl(Signature Impl sig Impl) throws Validation Exception /** * Validates that the status code local name is one of the allowabled values.* * @param status Code the status code to validate * * @throws Validation Exception thrown if the status code local name is not an allowed value */ protected void validate Value Content(Status Code status Code) throws Validation Exception /** * Checks that at least one Assertion, Assertion ID Reference, or Assertion URI Reference is present.Anyone with access to the public key can use it to encrypt messages, which can then be decrypted only by the key owner.Because separate keys are used for encrypting and decrypting messages, this form of cryptography is called .Security is crucial when Web services exchange business data.Negative financial or legal consequences can result if data is intercepted by third parties, or if fraudulent data is accepted as valid.* * @param xml Object the object to validate * @throws Validation Exception thrown if the object is invalid */ protected void validate Extension Child Namespace(Key Value xml Object) throws Validation Exception /** * Attempt to verify a signature using the key from the supplied credential.* * @param signature the signature on which to attempt verification * @param credential the credential containing the candidate validation key * @return true if the signature can be verified using the key from the credential, otherwise false */ protected boolean verify Signature(Signature signature, Credential credential) /** * Checks that at least one Attribute Service is present.Instead, the other key in the pair must be used for the decryption.As long as the keys' owner keeps one of the keys secret, the other key can be made public.