WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

The Web Services Security specification (WS-Security) provides a set of mechanisms to help developers of Web Services secure SOAP message exchanges. Specifically, WS-Security describes enhancements to the existing SOAP messaging to provide quality of protection through the application of message integrity, message confidentiality, and single message authentication to SOAP messages. These basic mechanisms can be combined in various ways to accommodate building a wide variety of security models using a variety of cryptographic technologies.

WS-Security also provides a general-purpose mechanism for associating security tokens with messages. However, no specific type of security token is required by WS-Security. It is designed to be extensible (e.g. support multiple security token formats) to accommodate a variety of authentication and authorization mechanisms. For example, a requestor might provide proof of identity and a signed claim that they have a particular business certification. A Web service, receiving such a message could then determine what kind of trust they place in the claim.

Additionally, WS-Security describes how to encode binary security tokens and attach them to SOAP messages. Specifically, the WS-Security profile specifications describes how to encode Username Tokens, X.509 Tokens, SAML Tokens , REL Tokens and Kerberos Tokens as well as how to include opaque encrypted keys as a sample of different binary token types. With WS-Security, the domain of these mechanisms can be extended by carrying authentication information in Web services requests. WS-Security also includes extensibility mechanisms that can be used to further describe the credentials that are included with a message. WS-Security is a building block that can be used in conjunction with other Web service protocols to address a wide variety of application security requirements.

Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit. Similarly, message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential.

Get the specification

By using the SOAP extensibility model, SOAP-based specifications are designed to be composed with each other to provide a rich messaging environment. By itself, WS-Security does not ensure security nor does it provide a complete security solution. WS-Security is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models and encryption technologies. Implementing WS-Security does not mean that an application cannot be attacked or that the security cannot be compromised.

You may want to check out the Web Services Security Addendum:

• Web Services Security Addendum.

Resources

• Read the related Web Services Trust specification that explains how trust relationships are defined between Web services.
  
  
• Web Services Addressing defines how to identify services across a network.
  
  
• Web Services Federation defines mechanisms to allow different security realms to federate by allowing and brokering trust of identities, attributes, authentication between participating Web services.
  
  
• Web Services Policy Framework defines how to apply policies to control individual services behavior.
  
  
• WS-SecureConversation defines extensions that build on WS-Security to provide secure communication.
  
  
• WS-SecurityPolicy is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models.
  
  
• SOAP 1.1 is the basic messaging transport for all Web services while SOAP 1.2 offers enhancements to the message framework.
  
  
• WSDL 1.1 is the current standard language for services description.
  
  
• XML Schema, Part 1 and Part 2 are specifications that explain how schemas are organized in XML documents.
  
  
• Learn more about the OASIS Web Services Security Technical Committee.
  
  
• Implementing WS-Security discuss the security-related requirements of Web services and how they are met using a combination of HTTPS/SSL, digital certificates, and digital signature technologies.
  
  
• Best Practices for Web services: Web services security, Part 1 explains the mechanics of how WS-Security works and the options it affords in a service-oriented architecture.
  
  
• Best Practices for Web services: Web services security, Part 2 outlines WS-Security capabilities leveraged in real-world customer solutions.
  
  
• Security in a Web Services World: A Proposed Architecture and Roadmap describes a proposed strategy for addressing security within a Web service environment.
  
  
• Web services standards roadmap.
  
  

Comments

Back to top

Dig deeper into SOA and Web services on developerWorks

My developerWorks community

Discover knowledge paths

Skill-building guides for Linux, open source, cloud, Java, business analytics, and more.