SP-004: SOA Publication and Location Pattern
Legend: Not applicable.
Description: This pattern describes the controls needed to make sure that services can only be used and located by authorized service consumers. Describe any additional architectural principles that may be reflected in the pattern.
Assumptions: The WSDL interface (registry entry) of a web-service can be considered an (implicit) contract between the service provider and the service consumer. The ebXML suite of standards has some support for security properties.
Typical challenges: There are no standards/guidelines that would help to enforce the (implicit) contract. On the market there is some tooling around that help to write policies for contract enforcement/negotiation and then act like a service guard.
Indications: Whenever you can distinguish between trustworthy callers and less trusted callers. Trustworthiness typically is certified by those that operate or own the provided services.
Contra-indications: You do not need to implement registry protection if you trust all the potential callers.
Resistance against threats: Threat agents: Rogue employees, rogue developers, rogue suppliers
- NIST Special Publication 800-95: Guide to Secure Web Services
- Standards for securing web services
- Securing service based interactions
Related patterns: Uses the server module, is related to internal and external SOA service usage.
Classification: Middle ware