developerWorks

AIX and UNIX
Information Mgmt
Lotus
Rational
Tivoli
WebSphere

Java™ technology
Linux
Open source
SOA and Web services
	New to SOA and Web services
	Downloads & products
	Open source projects
	Standards
	Technical library
	Training
	Forums
	Events
Web development
XML

My developerWorks
About dW
Submit content
Feedback

Related links
	ISV resources
	alphaWorks (emerging technologies)
	IBM Academic Initiative
	IBM Student Portal
	IBM Virtual Innovation Center (Bus. Partners)
	IBM Redbooks
	IBM Press books
	IBM communities

Local sites
	developerWorks 中国
	developerWorks Japan
	developerWorks 한국
	developerWorks Россия
	developerWorks Brasil
	developerWorks en español
	developerWorks Việt Nam

developerWorks > SOA and Web services >

Web Services Security

Level: Advanced

Contributors: Various

05 Apr 2002
Updated 01 Mar 2004

WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

The Web Services Security specification (WS-Security) provides a set of mechanisms to help developers of Web Services secure SOAP message exchanges. Specifically, WS-Security describes enhancements to the existing SOAP messaging to provide quality of protection through the application of message integrity, message confidentiality, and single message authentication to SOAP messages. These basic mechanisms can be combined in various ways to accommodate building a wide variety of security models using a variety of cryptographic technologies.

WS-Security also provides a general-purpose mechanism for associating security tokens with messages. However, no specific type of security token is required by WS-Security. It is designed to be extensible (e.g. support multiple security token formats) to accommodate a variety of authentication and authorization mechanisms. For example, a requestor might provide proof of identity and a signed claim that they have a particular business certification. A Web service, receiving such a message could then determine what kind of trust they place in the claim.

Additionally, WS-Security describes how to encode binary security tokens and attach them to SOAP messages. Specifically, the WS-Security profile specifications describes how to encode Username Tokens, X.509 Tokens, SAML Tokens , REL Tokens and Kerberos Tokens as well as how to include opaque encrypted keys as a sample of different binary token types. With WS-Security, the domain of these mechanisms can be extended by carrying authentication information in Web services requests. WS-Security also includes extensibility mechanisms that can be used to further describe the credentials that are included with a message. WS-Security is a building block that can be used in conjunction with other Web service protocols to address a wide variety of application security requirements.

Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit. Similarly, message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential.

Get the specification

Description	Date	Access method
WS-Security specification (OASIS)	Current	HTTP Web page

By using the SOAP extensibility model, SOAP-based specifications are designed to be composed with each other to provide a rich messaging environment. By itself, WS-Security does not ensure security nor does it provide a complete security solution. WS-Security is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models and encryption technologies. Implementing WS-Security does not mean that an application cannot be attacked or that the security cannot be compromised.

You may want to check out the Web Services Security Addendum:

Web Services Security Addendum.

Resources

Read the related Web Services Trust specification that explains how trust relationships are defined between Web services.
Web Services Addressing defines how to identify services across a network.
Web Services Federation defines mechanisms to allow different security realms to federate by allowing and brokering trust of identities, attributes, authentication between participating Web services.
Web Services Policy Framework defines how to apply policies to control individual services behavior.
WS-SecureConversation defines extensions that build on WS-Security to provide secure communication.
WS-SecurityPolicy is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models.
SOAP 1.1 is the basic messaging transport for all Web services while SOAP 1.2 offers enhancements to the message framework.
WSDL 1.1 is the current standard language for services description.
XML Schema, Part 1 and Part 2 are specifications that explain how schemas are organized in XML documents.
Learn more about the OASIS Web Services Security Technical Committee.
Implementing WS-Security discuss the security-related requirements of Web services and how they are met using a combination of HTTPS/SSL, digital certificates, and digital signature technologies.
Best Practices for Web services: Web services security, Part 1 explains the mechanics of how WS-Security works and the options it affords in a service-oriented architecture.
Best Practices for Web services: Web services security, Part 2 outlines WS-Security capabilities leveraged in real-world customer solutions.
Security in a Web Services World: A Proposed Architecture and Roadmap describes a proposed strategy for addressing security within a Web service environment.
Web services standards roadmap.

Back to top

Document options

Document options requiring JavaScript are not displayed

My developerWorks needs you!

Connect to your technical community