Web Service Security

As Web services-based transactions grow, so does the need to secure those communications. That’s the idea behind an emerging standard know as Web Service Security (WS-Security).

WS-Security allows Web services to pass secure and signed messages. Security information is communicated by passing information in the headers of messages based on Simple Object Access Protocol (SOAP).

According to our Technology Update author (hlockhar@bea.com.) WS-Security defines XML elements that can be used to provide integrity (write) protection, confidentiality (read) protection and authentication. It does this by using other existing specifications, while adding some key new elements of its own.

WS-Security implements digital signatures and encryption by referencing the XML Digital Signature and XML Encryption Recommendations developed at the World Wide Web Consortium.

The cool thing about WS-Security is that it will define how to use various systems to distribute keys and other authentication information in what it refers to as Tokens. X.509 Certificates and Kerberos Tickets are carried in binary tokens, while SAML Assertions and XrML Licenses are XML tokens. WS-Security also defines a Username token, which may be used in conjunction with a password, our author says.

Meanwhile, major vendors such as BEA Systems, Computer Associates, HP, IBM, Microsoft, Novell, SAP and Sun are already supporting WS-Security .

For more on this story see: https://www.nwfusion.com/news/tech/2004/0607techupdate.html