I want to implement a web service for an Enterprise Application. Security is a key concern over there.
I am little bit confused regarding Security prospective of Rest and Soap.
What I read is, Soap with WS-Security (As can be implemented using Rampart and Axis2) can provide Application Layer Security, whereas REST can be used with HTTPS to provide Transport Layer Security.
Now, here I got a doubt.
For the current scenario, let Confidentiality of the data is of prime importance.
Now, while using REST with SSL, to have end to end security if I encrypt the Data and thereby create the xml/json file on the data (say for example, using some libraries like Jersey), will that be a good option compared to WS-Security with SOAP?
The reason that SOAP has WS-Security is that SOAP is meant to be transport neutral, meaning it can work over HTTPS, JMS, or whatever new protocol is created tomorrow. The specification owners felt the need to define a consistent approach to implementing authentication for SOAP and naturally couldn’t rely on a transport specific mechanism such as HTTP authentication for example. So SOAP has WS-Security as a result. WS-Security also provides for other aspects of security such as encryption for the same reason.
For a REST based approach, it is possible to use HTTPS to get the same type of security. HTTP defines a few different approaches to authentication that can be used in a RESTful architecture. It is also possible to use other authentication mechanisms on top of HTTP if the default mechanisms aren’t sufficient.