I am not sure if I should post this question here or instead in the Security Forum. However I decided to post it here !! I am using Web Services architecture within my application. Meaning that I have not exposed my web services to the Internet. Do I need to worry about Web Services security - the whole stuff of using XML Signatures, Encryption etc. In addition I do not think I need to have SSL either for this. Please suggest Thanks in advance, Pradeep
Hi, In my view, it is a must if necessary. Meaning, if you want your data not be viewed from eavesdroppers or any unintended person, you have to encrypt the XML payload over HTTP. Because, any data, non-binary, in SOAP is sent as XML, any simple TCP tunneler tool could nicely display a human readable XML. This is not exception for passwords even if you are using basic HTTP authentication. Hence, I suggest you to use at least a simple custom encoding scheme to keep your data genuine. I welcome your comments. Thanks, Rakesh.
Thanks Rakesh for your reply. However my Web Services are consumed by my internal application only. The application Server is located inside the DMZ which means that the Web Services are not exposed to any outsider. However anybody from the internal network can pry on the Message which of course would be clear text. In this scenario is it worth going in for the Web Services Security stuff. Thanks, Pradeep