This specification relies on OASIS WS-Security standard to provide basic security during a web service transaction taking place between two or more parties. WS-Security provides an end-to-end message level security that achieves 3 goals:
The default mechanism which this spec recommends is username/password over SSL.
WS-Security specification provides several methods in which to secure communications. Two systems can conform to the WS-Security spec and still fail to authenticate each other if one system only supports, say, username/password while the other expects digital signatures. Consequently, this specification also recommends WS-Security Policy to specify security policies that define what message integrity it supports, and/or which encryption algorithm it accepts regarding confidentiality.
The recommendation of using username/password over SSL is the minimum level of security. Additional security measures can be implement by agreement between the parties. Future specifications may specify additional security measures.
[Optional] WS-Trust, WS-Secure Conversation, WS-Federation, WS-Privacy, and WS-Authorization are not recommended for spec revision.