Web Services Security
WS-Security (Web Services Security) is a proposed IT industry standard
that addresses security when data is exchanged as part of a Web service.
Web Service Security Requirements
The use of transport security to protect the communication channel
between the Web service consumer and Web service provider.
Message-level security to ensure confidentiality, integrity and
Web services security includes several aspects:
Authentication—Verifying that the user is who she claims to be. A user's identity is verified based
on the credentials presented by that user, such as: password, biometric information etc.
Authorization (or Access Control)—Granting access to specific resources based on an
authenticated user's entitlements. Entitlements are defined by one or several attributes. An
attribute is the property or characteristic of a user.
Confidentiality, privacy—Keeping information secret. Accesses a message, for example a Web
service request or an email, as well as the identity of the sending and receiving parties in a
confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a
message and obfuscating the sending and receiving parties' identities.
Integrity, non repudiation—Making sure that a message remains unaltered during transit by
having the sender digitally sign the message. A digital signature is used to validate the signature
and provides non-repudiation. The timestamp in the signature prevents anyone from replaying
this message after the expiration.
Web Services Security at Transport Level and
Web Services currently revolves around three important protocols: SOAP,
WSDL and UDDI.
There are two ways with which we can ensure security with Web Services:
Transport Level Security
Message Level Security
It secures the actual transport over which the message passes through from client to a
Secure Socket Layer (SSL), otherwise known as Transport Layer Security (TLS), is the most
widely used transport-level data-communication protocol providing:
Authentication (the communication is established between two trusted parties).
Confidentiality (the data exchanged is encrypted).
Message integrity (the data is checked for possible corruption).
Secure key exchange between client and server.
Message Level Security
Message level security is an application layer service and facilitates the protection of
message data between applications.
It secures the message itself that is being transported from client to a service and vice
Application-level security is based on standards available for securing Web Services at
Data confidentiality is implemented by XML Encryption.
Data integrity and authenticity are implemented by XML Signature.
Message structure and message security are implemented by SOAP and its security
In this model, a Web Service client will use SSL to open a secure socket to a Web
Service. The client then sends and receives SOAP messages over this secured
socket using HTTPS.
In message level security, security information is contained within the SOAP
message, which allows security information to travel along with the message.ge
level security, security information is contained within the SOAP message, which allows
security information to travel along with the message.
TRANSPORT LEVEL MESSAGE LEVEL
Uses SSL Dose not use SSL
Point-to-Point: Protects the "pipe Data Chunks are protected
Does not work with Intermediaries Intended to work with Intermediaries
Ubiquitous Standards still under development