A Signing Proxy for Web Services Security

Web Services offer a way for very different systems to collaborate independent of the the used programming language or the involved operating systems. Their basis is the XML-based SOAP protocol which can be used over any protocol which is able to transport a byte steam. Due to the fact that Web Services do not depend on any operating system and there is no burden of a underlying paradigm, they are ideal for the integration of even completely inhomogeneous systems. However, SOAP does not (and does not have to) deal with security issues, which is nevertheless important for the involved systems. This paper describes an addon for existing Internet proxies to achieve user and developer transparent security features for Web Services. This approach allows corporate firewalls to handle authentication. A first step is to add corporate signatures to all outgoing SOAP messages to enable a corporate trust relationship. A second improvement is to use proxy authentication as defined in RFC 2616 and RFC 2617 to add personal signatures assuming that the proxy has access to some key management system.