My question is about the difference between usual security expectations from a web application (intended to browser navigation) vs SOAP web service.
For a web application, an acceptable solution for secure communication is HTTPS (tranport level). However, in large companies, the web application is behind a reverse-proxy/load-balancer (and a web application firewall on top of it). The reverse-proxy is able to decrypt the communication, and we expect it to decrypt the communication so as to analyse the traffic. Then it sends it to the web application in the private lan (sometimes in plain HTTP).
For secure SOAP web service, HTTPS can be used, but as explained in http://msdn.microsoft.com/en-us/library/ms977358.aspx, XML encryption (message level) is promoted so as to prevent intermediary points, such as the SOAP message router, to have access to the message. Then the SOAP message is sent (still encrypted) to the right service provider in the private lan (only then the message can be decrypted).
In my eyes, the reverse proxy has the same position as the SOAP message router.
In this case, why would there be stronger security expectations to SOAP web services ? Or am I wrong and has my vision of web application architecture a weak security?