WS Security: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Web Service Security ==
== Web Service Security ==


So far, the security aspect of web services has not been discussed. The basic concepts of JAX RPC and SOAP do not provide sufficient security features. Thus, the IT industry has started to address security issues.
Unfortunately, the concepts of JAX RPC and SOAP do not provide sufficient security features. Therefore, web services can not guarantee confidentiality or integrity.


In April 2002, an enhancement of SOAP, the Web Service Security Language, has been published to implement integrity and confidentiality. WS security defines how to attach signature and encryption headers to SOAP messages. In addition, it describes the attachment of security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.
In April 2002, an enhancement of SOAP, the Web Service Security Language, has been published to implement security aspects. The specification defines how to attach signature and encryption headers to SOAP messages. In addition, it describes the attachment of security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

How can integrity and confidentiality be realised?


'''Message integrity''': The "XML Signature" specification in combination with security tokens ensure that messages are transmitted without modifications. The XML signature specification has been developed by the W3C and IETF.
'''Message integrity''': The "XML Signature" specification in combination with security tokens ensure that messages are transmitted without modifications. The XML signature specification has been developed by the W3C and IETF.
Line 9: Line 11:
'''Message confidentiality''': The "XML Encryption" specification describing techniques to wrap encryption data into xml tags, in conjunction with security tokens, keep portions of SOAP messages confidential. The encryption mechanisms are designed to support additional encryption technologies, processes, and operations by multiple actors.
'''Message confidentiality''': The "XML Encryption" specification describing techniques to wrap encryption data into xml tags, in conjunction with security tokens, keep portions of SOAP messages confidential. The encryption mechanisms are designed to support additional encryption technologies, processes, and operations by multiple actors.


Nevertheless, implementing WS Security does not provide a fully secured solution. It needs to be combined with other security measurements. [6]
Nevertheless, implementing WS Security does not provide a fully secured solution. It needs to be combined with other security measures. [6]

Latest revision as of 08:56, 25 January 2005

Web Service Security

Unfortunately, the concepts of JAX RPC and SOAP do not provide sufficient security features. Therefore, web services can not guarantee confidentiality or integrity.

In April 2002, an enhancement of SOAP, the Web Service Security Language, has been published to implement security aspects. The specification defines how to attach signature and encryption headers to SOAP messages. In addition, it describes the attachment of security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

How can integrity and confidentiality be realised?

Message integrity: The "XML Signature" specification in combination with security tokens ensure that messages are transmitted without modifications. The XML signature specification has been developed by the W3C and IETF.

Message confidentiality: The "XML Encryption" specification describing techniques to wrap encryption data into xml tags, in conjunction with security tokens, keep portions of SOAP messages confidential. The encryption mechanisms are designed to support additional encryption technologies, processes, and operations by multiple actors.

Nevertheless, implementing WS Security does not provide a fully secured solution. It needs to be combined with other security measures. [6]