Chapter 9: WS-Security

Overview

So far, the technologies that we have covered in this book have been either primarily for XML security (for example, XML Signature and XML Encryption) or applicable to the advantages of XML to information security functionality such as key management or access control rules (for example, XKMS, XACML). WS-Security, by contrast, is primarily for securing SOAP messages. It addresses the SOAP security issues discussed in Chapter 3. We’ve seen that technologies such as XML Signature, XML Encryption, and SAML can be used for purposes other than Web Services security. WS-Security explains how they are used for Web Services security in particular.

WS-Security defines how security tokens are contained in SOAP messages, and how XML Security specifications are used to encrypt and sign these tokens, as well as how to sign and encrypt other parts of a SOAP message. In practice, this means defining the XML elements and attributes that are used to enclose tokens into SOAP messages, and the means to enclose XML Signature and XML Encryption into SOAP.

WS-Security is part of a road map from IBM and Microsoft that includes later specifications such as WS-Trust, WS-Policy, and WS-SecureConversation. It can be used apart from these specifications, but it should be understood in the full context of the “WS-*” specifications.

This chapter uses the Web Services Enhancements 1.0 for Microsoft .NET (WSE) for hands-on familiarity with WS-Security.