Security and authorization is a hot topic with Web Services. In fact, security and authorization specifications are currently in flux. This is often the reason cited for not proceeding with any work related to Web Services. Nevertheless, the fact that these specifications are in flux should not hold you back from experimenting with Web Services.
Much can be done without having the specifications complete. Nearly all organizations should be able to find some areas to experiment with Web Services that have low requirements for security and authorization. In fact, Chapter 7 of Web Services and Service-Oriented Architectures: The Savvy Manager's Guide discusses the stages of adoption for Web Services. The first four of the five stages do not require much security and authorization because they involve internal systems.
Security and authorization specifications described on this site are listed below. You can also navigate among the specifications by using the menu tree at the bottom of each page.
Specialized XML firewalls offer the promise of protecting internal systems when using Web Services. Traditional firewalls offer protection at the packet level and do not examine the contents of messages. XML firewalls, on the other hand, examine the contents of messages. This includes the SOAP headers and the XML content. They are designed to permit authorized content to pass through the firewall. For a listing of XML firewall products, click here.
- eXtensible Access Control Markup Language (XACML)
- eXtensible rights Markup Language (XrML)
- Security Assertion Markup Language (SAML)
- Service Provisioning Markup Language (SPML)
- Web Services Security (WSS)
- XML Common Biometric Format (XCBF)
- XML Key Management Specification (XKMS)
More on the general topic: Web Services specifications
