WS-Security
WS-Security is a standard from the context of the WS -* specifications. In essence, it describes a communication protocol that makes it possible to take into account safety aspects of Web services. On 19 April 2004, the OASIS standard was published in its version 1.0 and on 17 February 2006 updated to version 1.1.
Originally developed by IBM, Microsoft and VeriSign, the standard is now being developed by a committee within the framework of Oasis - Open.
The standard includes specifications that dictate how message integrity and encryption can be ensured within the framework of web services. However, WS-Security requires not all the details, but is much more to existing " method " on ( XML Signature and XML Encryption).
WS- Security includes three main mechanisms:
- The possibility of transmitting security tokens as part of the SOAP message,
- Signing of messages and
- Encryption of messages.
It is prescribed exactly where and how signatures, encryption information, and said security tokens must be inserted into the SOAP message.
Profiles for security tokens
We distinguish the following profiles for creating the security token:
- User name
- X.509 certificate
- Kerberos ticket
- SAML assertion
- REL document
Related specifications
The following WS-* specifications are closely related with WS-Security:
- WS-SecureConversation
- WS -SecurityPolicy
- WS-Trust
- WS-Security Username Token Profile
Implementations
- XWSS
- WSS4J
Alternatives
Instead of WS-Security (Message Layer) you can set up among others at the transport layer (Transport Layer ) by, for example protocols such as HTTPS can be used. This has the following disadvantages:
- When communicating across multiple nodes then you have no direct " end-to -end security " anymore.
- All-or -nothing transmission: Message Layer Security provides finer granularity.