Seamlessly Securing Web Services by a Signing Proxy

Web services offer a way for very different systems to collaborate independent of the programming language used or the involved operating systems. Their basis is the XML-based SOAP protocol, which can be used over any protocol that is able to transport a byte stream. Due to the fact that Web services do not depend on any operating system and there is no burden of a underlying paradigm, they are ideal for the integration of even completely inhomogeneous systems. However, SOAP does not (and does not have to) deal with security issues, which is nevertheless important for the involved systems. This article describes an add-on for existing Internet proxies to achieve user and developer transparent security features for Web services. This approach allows corporate firewalls to handle authentication. A first step is to add corporate signatures to all outgoing SOAP messages to enable a corporate trust relationship. A second improvement is to use proxy authentication as defined in RFC 2616 and RFC 2617 to add personal signatures assuming that the proxy has access to some key management system.