WS-Security is a family of specifications (see Figure 5-6) designed to augment wire-level security by providing a unified, transport-neutral, end-to-end framework for higher levels of security such as authentication and authorization.
Figure 5-6. The WS-Security specifications
The layered blocks above WS-Security in Figure 5-6 can be clarified briefly as follows. The first layer consists of WS-Policy, WS-Trust, and WS-Privacy. The second layer of WS-SecureConversation, WS-Federation, and WS-Authorization builds upon this first layer. The architecture is thus modular but also complicated. Here is a short description of each specification, starting with the first layer:
This specification describes general security capabilities, constraints, and policies. For example, a WS-Policy assertion could stipulate that a message requires security tokens or that a particular encryption algorithm be used.
This specification deals primarily with how security tokens are to be issued, renewed, and validated. In general, the specification covers broker trust relationships, which are illustrated later in a code example.
This specification explains how services can state and enforce privacy policies. The specification also covers how a service can determine whether a requester intends to follow such policies.
This specification covers, as the name ...