The service oriented architecture and distributed computing comes with various advantages as well as few disadvantages that can be over come with proper consideration to each. Here I am pointing to the Security and Integrity of the data. Definitely the Message Level Encryption solves both the issues if implemented correctly using WS-* specifications. The authorization still remains an issue. Also the problem of data integrity i.e. how the data is accepted by the service/business also remains an issue as the service could be open to various application and where by the service cannot depend blindly on the applications for data integrity as well as authorization.
Now lets go ahead and consider a scenario which involves a three tired application with Web application, Web Service and Database.
The Web Service we are constructing is presently open to only the our Web application. This scenario is a restricted scenario where the Web Service runs under a particular service account and the access to Web service is restricted to Web Application using IPSEC, using which we can restrict the traffic that can access the Web Service.
- In such a scenario if Web Application properly implements Authorizations and Validations it solves the problem of security and integrity and gain is the performance, and security is implemented at transport level.
If the same scenario needs to be extended i.e. the Web Service needs to be opened to be accessed by various systems that might be within intranet i.e. in control or internet,
- then only implementing the autorization and authentication at application levels leaves holes in the architecture as now the validity of the data and the authorization would be only as good as the application that accesses the Web Service.
- Thus in this case the Authorization and Validation with white list (checking for valid characters) approach should also be applied at Web Service Layer. This then follows the principle of Defence in Depth.
- This means that there should be repeated authorization and validation on all the layers.
- Here we can remove the authorization and validation from Web application, which would mean that all applications can rely on Web Service for authorization and validations, in turn which would degrade the User Experience, hence the each of the layers should have authorization and validations.