WS-Security

WS-Security

WS-Security (Web Services Security) is a communications protocol providing a means for applying security to Web services. On April 19 2004 the WS-Security 1.0 standard was released by Oasis-Open. On February 17 2006 they released version 1.1.

Originally developed by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open.

The protocol contains specifications on how integrity and confidentiality can be enforced on Web services messaging. The WSS protocol includes details on the use of SAML and Kerberos, and certificate formats such as X.509.

WS-Security describes how to attach signatures and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

WS-Security incorporates security features in the header of a SOAP message, working in the application layer. Thus it ensures end-to-end security.

Associated specifications

The following draft specifications are associated with WS-Security:
*WS-SecureConversation
*WS-Federation
*WS-Authorization
*WS-Policy
*WS-Trust
*WS-Privacy
*WS-Test

ee also

* List of Web service specifications
*WS-I Basic Security Profile
*Web Services
*SAML
*XML firewall
*XACML
*X.509

Alternative(s)

In point-to-point situations confidentiality and data integrity can also be enforced on Web services through the use of Transport Layer Security (TLS), for example, by sending messages over https. WS-Security however addresses the wider problem of maintaining integrity and confidentiality of messages until after a message was sent from the originating node, providing so called end to end security.

Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into ASCII before sending. A challenge in using TLS would be if messages needed to go through a proxy server, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is operating on the message, it does not ensure end to end security, but only ensures point-to-point security.

ee also

* .NET Web Services Enhancements

External links

* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS Web Services Security TC] (Contains links to download specification documents)
* [http://www-128.ibm.com/developerworks/library/specification/ws-secure/ WS-Security Specification]
* [http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html WS-I Basic Security Profile]
* [http://www.cgisecurity.com/ws/ Web Services Security Documentation]
* [http://msdn2.microsoft.com/en-us/library/aa480545.aspx Web Service Security Patterns]
* [http://ws.apache.org/wss4j/ WSS4J] (WS-Security Java Implementation from Apache)
* [http://ws.apache.org/rampart/ Apache Rampart] (WS-Security Java Implementation from Apache Axis2)
* [https://wsit.dev.java.net/ WSIT] Web Services Interoperability Technologies (WSIT) that enable interoperability between the Java platform and Windows Communication Foundation (WCF)


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Security guard — Private factory guard Occupation Activity sectors Security Description A security guard (or security officer) is a person who is paid to protect pro …   Wikipedia

  • Security — is the condition of being protected against danger, loss, and criminals. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside.… …   Wikipedia

  • Security engineering — is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to… …   Wikipedia

  • Security theater — consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. [cite book last = Schneier first = Bruce authorlink = Bruce Schneier title = Beyond Fear:… …   Wikipedia

  • security — se·cur·i·ty /si kyu̇r ə tē/ n pl ties 1 a: something (as a mortgage or collateral) that is provided to make certain the fulfillment of an obligation used his property as security for a loan b: surety see also …   Law dictionary

  • Security sector reform — (SSR) is a concept to reform or rebuild a state s security sector that emerged first in the 1990s in Eastern Europe. It starts where a dysfunctional security sector is unable to provide security to the state and its people effectively and under… …   Wikipedia

  • Security controls — are safeguards or countermeasures to avoid, counteract or minimize security risks. To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security… …   Wikipedia

  • Security level management — (SLM) comprises a quality assurance system for electronic information security. The aim of SLM is to display the IT security status transparently across a company at any time, and to make IT security a measurable quantity. Transparency and… …   Wikipedia

  • Security of person — or security of the person is a human right guaranteed by the Universal Declaration of Human Rights, adopted by the United Nations in 1948. It is also a right respected in the Constitution of Canada, the Constitution of South Africa and other laws …   Wikipedia

  • Security Assertion Markup Language — (SAML) is an XML based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product… …   Wikipedia

  • Security Level Management — (SLM) ist ein Qualitätssicherungssystem für die elektronische Informationssicherheit. SLM hat zum Ziel, den IT Sicherheitsstatus jederzeit unternehmensweit transparent darzustellen und IT Sicherheit zu einer messbaren Größe zu machen. Transparenz …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”