0

I know too little SOAP theory and need some help.
Imagine a web service and a client. There is also a gateway (facing the internet), which requests have to be relayed through.
The client authenticates with the gateway using a client certificate (transport security).
The gateway, in turn, uses message credentials to authenticate with the web service.

My question: Is it reasonable that the gateway, after getting the response from the web service, forwards the Security header to the client?

I'm thinking that it "feels" like that should be for the GW -> Web Service link only, since the client didn't use any message security in its request but am I right or wrong?

Niklas
  • 5,736
  • 7
  • 35
  • 42

1 Answers1

0

You're talking about three completely different layers of the network stack. Whether you encrypt your transport with HTTPS has absolutely nothing with whether or not you wish to protect your message payload with WS-I security.

Two good articles on WS-Security (at least from a Microsoft/.Net perspective):

In answer to your question: if you have a SOAP security header, then you ARE using WS-Security, and the client IS passing it to your web service link. Typically, this is transparent to both your client code and your server code; it's handled by the "middleware" in your .Net libraries.

FoggyDay
  • 11,962
  • 4
  • 34
  • 48
  • I just wanted to mention the transport security to avoid non-answers complaining about lack of encryption :) But I realize it probably clutters the real question. Will edit. As stated in the question, I do not use WS security from the client. Only from gateway to web service. The header I'm talking about is returned from the service to the gateway, then the gateway forwards it in the reply to the client. That's what seems wrong to me. – Niklas Apr 15 '14 at 06:41