لطفا منتظر باشید ...
Chapter 4. Security
Security Policies" section. By retrieving these policy assertions, an application can build messages that comply with the requirements of the target service. This combination of features provided by claims, security tokens, and policies, and the ability to retrieve them from a Web service, is powerful.The general Web services security model supports several more specific security models, such as identity-based authorization, access control lists, and capabilities-based authorization. It allows the use of existing technologies such as X.509 public key certificates, XML-based tokens, Kerberos shared-secret tickets, and password digests. The security model is sufficient to construct systems that use more sophisticated approaches for higher-level key exchange, authentication, policy-based access control, auditing, and complex trust relationships. Proxies and relay services may also be used. For example, a relay service can be built to enforce a security policy at a trust boundary; messages going outside the boundary are encrypted while those that stay within the boundary are unencrypted. This flexibility and degree of sophistication is not present in previous solutions.Appendix C ("Common Security Attacks") include a base taxonomy of system threats that you should carefully consider when choosing Web services security features.The remainder of this chapter explores the application of the Web services security model. Three key topics are securing communications, securing applications, and identity propagation in a federation. A secure message transport is not assumed, nor is it necessary for secure Web services.
