WS-Security
WS-Security is a standard from the context of the WS- * specifications. In essence, it describes a communication protocol that enables security aspects to be taken into account in web services . Version 1.0 of the OASIS standard was published on April 19, 2004 and updated to version 1.1 on February 17, 2006.
Originally developed by IBM , Microsoft and Verisign , the standard is now being further developed by a committee as part of Oasis-Open.
The standard contains specifications that prescribe how message integrity and encryption can be ensured in the context of web services. However, WS-Security does not prescribe all the details, but rather relies on already existing "procedures" ( XML signature and XML encryption ).
WS-Security includes three main mechanisms:
- the option of transmitting security tokens as part of the SOAP message,
- Signing messages and
- Encryption of messages.
It specifies exactly where and how signatures, encryption information and said security tokens must be inserted in the SOAP message.
Profiles for security tokens
A distinction is made between the following profiles for creating the security token:
Associated specifications
The following WS- * specifications are closely related to WS-Security:
Implementations
Alternatives
Instead of WS-Security (Message Layer) one can also use the transport layer (Transport Layer), for example, by using protocols such as HTTPS . This has the following disadvantages:
- When communicating via several nodes, there is no longer any direct “ end-to-end security”.
- All-or-nothing transmission: Message Layer Security offers finer granularity.
Web links
- OASIS Web Services Security TC (Contains links to the specification documents)
- WS-Security Specification ( Memento from September 16, 2012 in the Internet Archive )