Webservice: Design and Security considerations to take into account?

What design patterns must be evaluated while implementing a web service?

More importantly, what security aspects must be taken into account for a web service? Since a WSDL contains the complete information of the service including the input, output formats and access url, doesn't security get compromised with web service?

Thanks in advance,

Edit

Would just like to add a couple of things.

I am developing the service in Java that would be deployed on a JBoss server hosted on a Linux (Fedora) machine.

As far as authentication mechanism is considered for invoking the services, yes I do have that in place. Unless the user gets a token, he would not be able to use the other services which actually perform the business operation.

Also, have hidden the actual request in 2 layers of XML using CDATA for the actual request body inside the SOAP Envelope body. Something like the below code.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:myns="http://testserver/testservice">
   <soapenv:Header/>
   <soapenv:Body>
      <myns:Operation>
         <myns:OperationRequestBody><![CDATA[-- actual request XML goes here --]]></myns:OperationRequestBody>
      </myns:Operation>
   </soapenv:Body>
</soapenv:Envelope>

Is there any security aspect for开发者_高级运维 URL - say using HTTPS protocol, which I understand would be a configuration at the server level.

well it depends on number of things:

• whether you are exposing your webservice inside the organization (where you dont have to worry much about security) as opposed to exposing the webservice externally.

one thing we do (when we expose internally), we use Windows/NTLM authentication so that specific people in our domain can run it.

I would make sure i dont expose anything that can crush the web service :) (like GetAllData or smth similar) so that you expose only methods that is stateless and easy to throttle if needed.

also, used confluence's API (based on webservice), and they used Authentication mechanism, where you logon first, and you are given token, and you have to attach that token on every web service call that you do.