WS Security

From
Jump to navigation Jump to search

Web Service Security

Unfortunately, the concepts of JAX RPC and SOAP do not provide sufficient security features. Therefore, web services can not guarantee confidentiality or integrity.

In April 2002, an enhancement of SOAP, the Web Service Security Language, has been published to implement security aspects. The specification defines how to attach signature and encryption headers to SOAP messages. In addition, it describes the attachment of security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

How can integrity and confidentiality be realised?

Message integrity: The "XML Signature" specification in combination with security tokens ensure that messages are transmitted without modifications. The XML signature specification has been developed by the W3C and IETF.

Message confidentiality: The "XML Encryption" specification describing techniques to wrap encryption data into xml tags, in conjunction with security tokens, keep portions of SOAP messages confidential. The encryption mechanisms are designed to support additional encryption technologies, processes, and operations by multiple actors.

Nevertheless, implementing WS Security does not provide a fully secured solution. It needs to be combined with other security measures. [6]