Web services can be secured using either Transport level security or Message level security. The main goal of transport level security is to establish a secure pipe between two endpoints and all messages that go into and out of the pipe are secured from point to point. The advantages of transport level security are
- The technologies for Transport level security are mature and well established.
- The technologies used are simpler and easier to administer.
The disadvantages are
- It only secures a message from point to point i.e. once a message leaves the secure pipe it is not secured.
- It does not provide and any control over the level of security on the message. i.e. The whole message is encrypted and we cannot set options about which part of the message should be encrypted and what should be in the clear.
Transport level security is mainly implemented by using SSL over HTTP. Message level security is much more complex and uses other technologies such as XML Signatures, XML Encryption, SAML e.t.c.
Message level security is more suited to implement Web services security. A SOAP message may pass through multiple SOAP nodes which may not be completely under your control. If we are using transport level security then we can only secure Messages between a few SOAP nodes under our control and then the message is in the clear. Another requirement may be that certain parts of the SOAP message must be visible to some of the SOAP nodes but should be opaque to the others. This level of control is not possible using transport level security. There are also other needs such as ensuring the integrity and confidentiality of the message which are all met by using Message level security. SOAP messages may also be logged and you would need to ensure the security of the message much beyond its transmission lifetime. All these require the usage of the technologies mentioned above namely XML signature, XML encryption e.t.c
Next : Foundations of Message Level Security