Released in April 2002, a draft of the WS-Security specification was one of the first to be co- authored by IBM, Microsoft, and VeriSign. In general, the WS- Security specification aims to guarantee integrity and confidentiality of SOAP messages used in a Web services environment.
Although a number of security identifiers (known as tokens) can be used with WS-Security, the specification itself is designed to be extensibleallowing anyone to expand and introduce a customized token format. The specification also describes how to encode X.509 certificates, Kerberos tickets, and UsernameTokens as part of a message.
For authentication, implementations of the specification typically support an unsigned security token (such as a username and password token) or a signed security token (either an X.509 certificate or a Kerberos ticket). These authentication mechanisms are used in conjunction with claims. A claim is a statement that a client makes (for example, a name , privilege, or capability).
For encryption, the specification leverages the XML Encryption standard. Three elements of the XML Encryption standard ( xenc:ReferenceList , xenc:EncryptedKey , and xenc:EncryptedData ) can be used within the WS-Security header. The specification itself, and some extended samples, can be found at: http://msdn.microsoft.com/ webservices /building/wse/default.aspx?pull=/library/en-us/dnglobspec/html/ws-security.asp .