Web Service Security
Web Services Security (WS-Security) was initiated by Microsoft and IBM with participation for Verisign and RSA Security, among others. It is part of a whole family of specifications speared by the Organization for the Advancement of Structured Information Standards (OASIS). The specification provides standards and tools for message-level security for web services.
The core areas on which WS-Security concentrates are:
Secure header management (WSSE headers)
Secure tokens and credential management
Reliable timestamping
Standardized XML encryption
Standardized XML signatures
Message/security extensibility
Let's take a closer look at some of these and discuss where they apply in terms of a web service transaction.
Secure header management
WS-Security uses secure headers to help protect the message contents. The header doesn't care about the message content, only that the message content doesn't change. Likewise, the message content doesn't depend or rely on the security header. The header is attached to the outside of the message like an additional envelope.
Secure tokens and credentials
Security tokens and credentials appear in secure headers and have their own profiles according to the WS-Security specification. They can be encoded binary, as in the case of a digital certificate, or they can be straight text, such as a username and password.
Some types of secure token profiles are:
Username and password
X.509 digital certificate
SAML assertion
Timestamping
To promote ...
Get Securing Ajax Applications now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.