web service security at different level

Question

I am just getting started with SOAP web services and stumbled across web service security.

I needed to know 2 things based on following use case:-

Suppose, there is web service which accepts country name as request and returns state list as response.

what is transport level security and message level security based on my above simple use case. How they are different?

Answer 1

what is transport level security and message level security based on my above simple use case. How they are different?

There are multiple options how to secure your transport channel and data. It all depends what security measures are required.

SOAP/WSDL has an extension WS-Security which defines multiple standard options how to secure the communication. Please note that not all frameworks support all options and I really sugest you use some mature webservice framework (CXF, Axis2, ..) which would implement the web-service security. You don't want to do it yourself.

Transport level security

The basic is TLS/SSL (simple or with client certificate). This security layer is bound to the HTTP tranport layer and often assumed as granted, so not configured in the WSDL itself.

does this mean if transport security is implemented then to open wsdl file in browser i have to give username password

I assume you are talking about HTTP basic authentication. It is one of the options (and IMHO the poor one and it is strongly bound to the HTTP transport layer)

You can as well use UsernameToken option. It looks similar as basic authentication - there's username and password (or digest) in the SOAP header, as advantage I consider that this extension can be defined and enforced as part of the WSDL or security policy definition.

message level security

Under this level we consider signing and/or encrypting the messages.