Security

The basic SOAP standard itself does not specify any kind of security. Securing Web Services has to be done in conventional ways, for example with SSL¹⁹, HTTP authentication or some other mechanism. An often criticized issue is that conventional firewalls cannot secure Web Services, as today's firewalls can only filter traffic according to a protocol but do not understand what is inside the protocol. This way it is possible that a hacker packs his malicious code into a correct SOAP message which he then sends to a Web Service via the HTTP protocol. The ``hacker package'' travels untouched through the firewall and then unveils his malicious purposes. To solve this problem, Web Services have to be designed with security in mind, moreover, smart firewalls are needed that are capable of understanding SOAP and filtering malicious content in SOAP packages.

In many cases SSL does not suffice as this protocol is dedicated to point-to-point communication and SOAP messages may travel over multiple computing nodes. In such cases the only solution is to secure the SOAP message itself. One way to implement such security measures is to use a submitted standard called ``SOAP Security Extensions'' that heavily depends on another standard called ``XML-Signature''. This standard makes it possible to add digital signatures to XML documents which ensures the integrity and authentication of documents. Further information about this standard can be found in [LIV02].