The Need for WS-Security

Yesterday, I wrote about the why we should bother about SOA as PHP users. When we talk about enterprise, security comes to center stage. When you use message passing, with SOA setups, the sensitive messages would have to be secured.

With PHP, there is a well known way of securing client to server communication, that is https. So when talking about REST, one may say, we can use https and secure the messages. True, but is that good enough? For some classes of applications, yes it would. However, many enterprise applications may not be satisfied with that level of security. If you have doubts on this, talk to a security experts. Well, I am not one of those security geeks, but I sure have spoken to few. They would say, the "intruder" could be anywhere.

I borrowed the following image form this article on WSE.

 

At the top, it shows how a protocol-level security such as https could secure your application. The moment the message is delivers, the plain message gets exposed. The "intruder" can easily sneak a peek into the message. As I mentioned earlier, this could be acceptable for some applications, but not all.

The ideal security is the level of security shown in the bottom half of the image, where the message itself is secured. May be the message is signed or encrypted, and sometimes both. Now this cannot done only with transport security like https. You have to secure the message itself. WS-Security specification is meant for just this. It defines how to secure the message itself. So if you want this level of security, you need SOAP Web services. And there are applications, specially enterprise applications that need this level of security.

The good news is that, like Java and .NET, PHP too has full implementation of WS-Security powered by Apache Rampart/C. If you want more information, you can read this article on secure web services with PHP.

Now, one would be wondering, do people really use WS-Security in enterprise applications? Yes they do, and I have seen them. I have seen gaming systems, betting systems and government document transfer systems use WS-Security.  And more often than not, these systems are heterogeneous. They had .NET, Java and yes PHP. I am yet to see a PHP Web service that uses WS-Security in practice, but I sure have seen PHP consuming Web services that enforce security policies implemented in .NET or Java in real world.