WS-Security

The WS-Security specification proposes a standard set of SOAP extensions that can be leveraged when building secure Web services to implement confidentiality, or the ability to leverage Web services without having to worry about others getting into your business.

WS-Security is designed as the base for the construction of a wide variety of security models, which includes

• PKI

• Kerberos

• SSL

Moreover, WS-Security provides support for multiple security tokens, multiple trust domains, multiple signature formats, and multiple encryption technologies.

This standard defines three main mechanisms:

Each of these technologies do not provide a complete security solution, and WS-Security is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to leverage a wide range of security and encryption technologies. You may use these independently (e.g., to pass a security token) or tightly integrated; for example, signing and encrypting a message and providing a security token hierarchy associated with the keys used for signing and encryption.^[1]

^[1] Web Services Security (WS-Security) Specification. http://www-106.ibm.com/developerworks/webservices/library/ws-secure/.

The importance of leveraging this standard in the world of application integration is obvious, as we seek ways to exchange messages between enterprises with the assurance that others outside the trading partners won't have access to them. The support for multiple security standards is an added value as well, considering the number of organizations that may be involved and the diverse security technologies that may be in place.