Wiki
Security

This specification relies on OASIS WS-Security standard to provide basic security during a web service transaction taking place between two or more parties. WS-Security provides an end-to-end message level security that achieves 3 goals:

  1. To provide message integrity so that the parties involved can guarantee that the message was not modified while in transit thru various routers. Tickets or certificates are passed using the XML Signature spec.
  2. To provide confidentiality over the message so that the message information cannot be sniffed or read while passing thru or in transit. Confidentiality is implemented using XML Encryption spec. Specifically, WS-Security uses three tags: Encrypted Data, Encrypted Key and Reference List.
  3. To provide a way to authenticate each party via security tokens such as username/password, kerberos tickets or x.509 certificate. Username/password require pre-knowledge of each other.

The default mechanism which this spec recommends is username/password over SSL.

WS-Security specification provides several methods in which to secure communications. Two systems can conform to the WS-Security spec and still fail to authenticate each other if one system only supports, say, username/password while the other expects digital signatures. Consequently, this specification also recommends WS-Security Policy to specify security policies that define what message integrity it supports, and/or which encryption algorithm it accepts regarding confidentiality.

The recommendation of using username/password over SSL is the minimum level of security. Additional security measures can be implement by agreement between the parties. Future specifications may specify additional security measures.

[Optional] WS-Trust, WS-Secure Conversation, WS-Federation, WS-Privacy, and WS-Authorization are not recommended for spec revision.