Communication Security for Web Services

A Web Service (WS) is a self-contained, modularized function, that can be published, discovered, and accessed across a network using open standards. It represents an executable entity. For the caller or sender of a WS, a service is a black box that may require input and delivers a result. WS cover the provision of business integration functions within and across enterprises on top of any communication technology stack, whether synchronous or asynchronous.

The AS Java uses the WS Framework for Java as a pluggable infrastructure for declaring and using Web Services. A Web Service can be any component, for example EJBs, Java Classes (in Servlet Container), Portal Services. The Framework takes care to deserialize incoming XML SOAPData and invoke an implementation. In addition, based on a Web Services Definition Language (WSDL) Description a WS Proxy can be generated that exposes a Java Interface to the clients, and generates XML SOAP Messages.

For an overview of the communication flow, see the figure below.

Web Services Communication Flow

To use a WS, a WS Consumer initiates a transaction with a WS provider using the Simple Object Access Protocol (SOAP). The SOAPtransaction request is then transported over the network using the HTTP protocol. The transmission of the document can either be secured by using HTTP over SSL, or by signing and/or encrypting the SOAPdocument using OASIS WS Security.

You can use the AS Java to act both as a provider and as a consumer for Web Services. The SAP NetWeaver Developer Studio provides a design time development environment for publishing, discovering, and accessing Web services on the AS Java. Security related features such as communication type or authentication level can be assigned in the WS definition in an abstract form. The technical details of these features are then specified in the WS configuration. WS definitions and deployed Web Services are published in a UDDI registry. WSDL documents provide the basis for the WS consumer and can be found in the Service Registry using a Web browser or the standard UDDI API's.

The WS Consumer side derives the WS proxy generation based on the Web Service Definition, retrieved from the UDDI. Technical details that are predefined in the WS configuration are configured separately in the client runtime for the WS Container of the AS Java. For more information, see Configuring the Services Registry in the Administration Manual.

For an overview of the communication paths and the relevant security protection, see the table below.