I have just started learning webservices. Can you guide me as to how to implement security in SOAP. Also which is better top down or bottom up approach. Any documentation in this regard is greatly appreciated. Thanks,
That's the realm of WS-Security, which is implemented by all major SOAP stacks. It covers both authentication (username/password) and encryption. The documentation of whichever SOAP stack you're using should talk about it.
Joined: Nov 03, 2010
Thank you for the reply. This is for applications within the company, do you think ws-security is better or SSL. Also do you think ws-security will be supported even in the future.
Joined: Sep 21, 2011
Yes, I think WS-Security is better (more flexible and more capable) than using HTTP security measures like Basic Digest authentication or SSL. It's supported by all major SOAP stacks and I see no reason why it wouldn't continue to be so as long as the SOAP stacks themselves are supported.
SSL security mechanisms are at the Network layer. WS-Security is at the Message layer. Securing web services with SSL and without using WS-Security is a caveman approach, similar to trying to slice cheese with a chainsaw You will certainly be able to "cut the cheese" with a chainsaw, but... your code is sure to be smelly (for anything complex)
Below is a good starting point for web service security.
SOA Security by Ramarao Kanneganti and Prasad A. Chodavarapu