Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Web Services Security (WS Security) is a specification that defines how security measures are implemented in web services to protect them from external attacks. It is a set of protocols that ensure security for SOAP-based messages by implementing the principles of confidentiality, integrity and authentication.
Because Web services are independent of any hardware and software implementations, WS-Security protocols need to be flexible enough to accommodate new security mechanisms and provide alternative mechanisms if an approach is not suitable. Because SOAP-based messages traverse multiple intermediaries, security protocols need to be able to identify fake nodes and prevent data interpretation at any nodes. WS-Security combines the best approaches to tackle different security problems by allowing the developer to customize a particular security solution for a part of the problem. For example, the developer can select digital signatures for non-repudiation and Kerberos for authentication.
The aim of WS-Security is to ensure that communication between two parties is not interrupted or interpreted by an unauthorized third party. The receiver needs to be assured that the message was indeed sent by the sender, and the sender should be assured the receiver cannot deny receiving the message. Finally, the data sent during communication should not be altered by an unauthorized source. All data related to security is added as part of the SOAP header. Therefore, a considerable overhead is imposed on the SOAP message formation when security mechanisms are activated.
WS-Security SOAP Header:
The developer is free to choose any underlying security mechanism or set of protocols to achieve their goal. Security is implemented using a header which consists of a set of key-value pairs where the value changes appropriately with changes in the underlying security mechanism used. This mechanism helps to identify the caller’s identity. If a digital signature is used, the header contains information about how the content has been signed and the location of the key used to sign the message.
Information related to encryption is also stored in the SOAP header. The ID attribute is stored as part of the SOAP header, which simplifies processing. The timestamp is used as an additional level of protection against attacks on the message integrity. When a message is created, a timestamp is associated with the message indicating when it was created. Additional timestamps are used for the expiry of the message and to indicate when the message was received at the destination node.
WS-Security Authentication Mechanisms
WS-Security allows existing security mechanisms to be leveraged appropriately to prevent any overhead in incorporating new mechanisms.