A Security Administrator has some concerns about the confidentiality of data when using SOAP.
Which of the following BEST describes the Security Administrator’s concerns?
A. The SOAP header is not encrypted and allows intermediaries to view the header data. The
body can be partially or completely encrypted.
Explanation
XML defines a universal format for exchanging application data. The universal XML specification alone, however, is not enough to provide developers with the infrastructure they need to create easy and elegant web services. Although XML provides an efficient format for reading and writing program data, XML alone does not provide a standard format for structuring and interpreting that data. The SOAP specification fills that role. SOAP is a standard protocol for exchanging XML-based messages that pass between the web-service client and server.
SOAP is designed to support communication between so-called SOAP nodes. (A SOAP node is basically a computer or application that supports SOAP.) The SOAP specification defines the structure of a message that passes from the SOAP sender to the SOAP receiver. Along the way, the message might pass through intermediate nodes that process the information in some way. An intermediate node might provide logging, or it might modify the message somehow in transit to its final destination.
At the conceptual level, a SOAP message from the client says, “Here is some input. Process this and send me the output.” The functionality of the application derives from a series of these XML-based SOAP messages in which the endpoints send information and receive responses. The formal structure of the SOAP message allows the software developer to easily create a SOAP-based client application that interacts with the server. For instance, a rental company that provides car rental reservations through a web-based server application could easily make the specifications available for a developer to write a custom client application that could connect to the server and reserve a car.
The structure of a SOAP message consists of an optional header and a message body. The header contains callouts, definitions, and meta-information that will be used by any node along the message path. The body includes data intended for the message recipient. For example, in the case of the car reservation service, the message body might contain data from the client describing the car the customer would like to rent and the date the vehicle must be available.
Because the SOAP Header is
an optional object, you might or might not find header information serialized in a given SOAP packet. But if there is header information, all of that information must be serialized within the SOAP Header object, which must be the first (XML) child of the Envelope element. That's where you'll find it, but what is it used for?
Well, in a nutshell, the SOAP Header is used to transmit auxiliary information relevant to the Web Service processing that isn't part of the method signature. For example, imagine that you have a Web Service that specifies the toppings and crust style of the pizza that you intend to order (in C#):
OrderInfo OrderPizza(int[] toppings, int[] crust, PaymentInfo pi);
For this example, assume that the OrderInfo structure contains delivery information such as order confirmation, delivery timeline, and so on. The integer arrays contain integers that enumerate the various toppings and crusts available to you. The payment information structure contains payment data, such as a credit card number.
The Web Service, in this case, accepts your pizza order (presumably, you called another Web Service before this to establish your identity and delivery information). But it isn't a stretch to believe that there should be some sort of encryption associated with this invocation. That is, as the customer, you probably want to see at least the payment information, if not the entire packet, encrypted.