accesscontrol article authentication dev development distributed fusion ibm it oasis programming security services soa tech was web web-service webdev webservice webservices wikipedia-entry work ws ws-* ws-security ws-standards wsdl wss

My tags:

From Wikipedia, the free encyclopedia

WS-Security (Web Services Security) is a communications protocol providing a means for applying security to Web services. On April 19 2004 the WS-Security 1.0 standard was released by Oasis-Open. On February 17 2006 they released version 1.1.

Originally developed by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open.

The protocol contains specifications on how integrity and confidentiality can be enforced on Web services messaging. The WSS protocol includes details on the use of SAML and Kerberos, and certificate formats such as X.509.

WS-Security describes how to attach signatures and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

WS-Security incorporates security features in the header of a SOAP message, working in the application layer. Thus it ensures end-to-end security.

Contents 1 Associated specifications 2 See also 3 Alternative(s) 4 See also 5 External links

[edit] Associated specifications

The following draft specifications are associated with WS-Security:

• WS-SecureConversation
• WS-Federation
• WS-Authorization
• WS-Policy
• WS-Trust
• WS-Privacy
• WS-Test

[edit] See also

• List of Web service specifications (WS-*)
• XML Encryption
• WS-I Basic Security Profile
• Web Services
• SAML
• XML firewall
• XACML
• X.509

[edit] Alternative(s)

In point-to-point situations confidentiality and data integrity can also be enforced on Web services through the use of Transport Layer Security (TLS), for example, by sending messages over https. WS-Security however addresses the wider problem of maintaining integrity and confidentiality of messages until after a message was sent from the originating node, providing so called end to end security.

Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into ASCII before sending. A challenge in using TLS would be if messages needed to go through a proxy server, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is operating on the message, it does not ensure end to end security, but only ensures point-to-point security.

[edit] See also

• .NET Web Services Enhancements

[edit] External links

• OASIS Web Services Security TC (Contains links to download specification documents)
• WS-Security Specification
• WS-I Basic Security Profile
• Web Services Security Documentation
• Web Service Security Patterns
• WSS4J (WS-Security Java Implementation from Apache)
• Apache Rampart (WS-Security Java Implementation from Apache Axis2)
• WSIT Web Services Interoperability Technologies (WSIT) that enable interoperability between the Java platform and Windows Communication Foundation (WCF)

v • d • e Standards of OASIS BCM · CAM · CAP · CIQ · DSS · DocBook · DITA · ebXML · OpenDocument · SAML · SDD · SPML · UBL · WSDM · XRI · XDI · WSRF · WSS · XACML