Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects simply to a non-technical, business audience. Over…
Web Services Security (WS Security) is a specification that defines how security measures are implemented in web services to protect them from external attacks. It is a set of protocols that ensure security for SOAP-based messages by implementing the principles of confidentiality, integrity and authentication.
Because Web services are independent of any hardware and software implementations, WS-Security protocols need to be flexible enough to accommodate new security mechanisms and provide alternative mechanisms if an approach is not suitable. Because SOAP-based messages traverse multiple intermediaries, security protocols need to be able to identify fake nodes and prevent data interpretation at any nodes. WS-Security combines the best approaches to tackle different security problems by allowing the developer to customize a particular security solution for a part of the problem. For example, the developer can select digital signatures for non-repudiation and Kerberos for authentication.
The aim of WS-Security is to ensure that communication between two parties is not interrupted or interpreted by an unauthorized third party. The receiver needs to be assured that the message was indeed sent by the sender, and the sender should be assured the receiver cannot deny receiving the message. Finally, the data sent during communication should not be altered by an unauthorized source. All data related to security is added as part of the SOAP header. Therefore, a considerable overhead is imposed on the SOAP message formation when security mechanisms are activated.
WS-Security SOAP Header:
The developer is free to choose any underlying security mechanism or set of protocols to achieve their goal. Security is implemented using a header which consists of a set of key-value pairs where the value changes appropriately with changes in the underlying security mechanism used. This mechanism helps to identify the caller’s identity. If a digital signature is used, the header contains information about how the content has been signed and the location of the key used to sign the message.
Information related to encryption is also stored in the SOAP header. The ID attribute is stored as part of the SOAP header, which simplifies processing. The timestamp is used as an additional level of protection against attacks on the message integrity. When a message is created, a timestamp is associated with the message indicating when it was created. Additional timestamps are used for the expiry of the message and to indicate when the message was received at the destination node.
WS-Security Authentication Mechanisms
WS-Security allows existing security mechanisms to be leveraged appropriately to prevent any overhead in incorporating new mechanisms.
Techopedia’s editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.
What is Differential Privacy? Differential privacy is a mathematical framework for determining a quantifiable and adjustable level of privacy protection....
Margaret RouseTechnology Expert
What are Tactics, Techniques, and Procedures (TTPs)? Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an...
What is a Security Posture? Security posture definition refers to the ability an organization has to protect its information technology...
Trending NewsLatest GuidesReviewsTerm of the Day