10:37 AM
Andy Dornan
Andy Dornan
Connect Directly
Repost This

WS-* Security Standards: Too Much Of A Good Thing?

The foundations are complete, but the higher levels are still works in progress.

The SOA world enjoys a, let's say, overabundance of standards, with the Web Services (WS-*) stack in particular seeming to continuously grow to encompass every possible SOAP use case. However, relatively few standards are specifically designed for security, and those that do all build on top of one another. The foundations are now complete and mature, but the higher levels are still works in progress.

  • WS-Security 1.1. Describes how XML Encryption and XML Signature can be applied to SOAP documents or messages. Supported by all vendors and used by all other WS-* standards involving security. The latest version, published in February 2006, will likely be the last, as future enhancements will be included in other standards.
  • WS-SecurityPolicy 1.2. Specifies who is allowed to access a service and how, and restricts the kinds of authentication methods allowed and/or the level of encryption required. It is a subset of WS-Policy, a more general way of expressing a service's capabilities and limitations. Developed by IBM and Microsoft, WS-SecurityPolicy was officially standardized in July 2007 and will eventually be supported by all vendors.
  • WS-SecureConversation 1.3. A means of implementing the policies expressed in WS-SecurityPolicy using WS-Security. The standard was ratified in March 2007, at which point IBM and Sun demonstrated implementations. Other vendors, including Actional, BEA Systems, Cisco, Computer Associates, Layer 7 Technologies, Oracle, Reactivity, RSA Security, and VeriSign, have also pledged support, though few customers are using it at present.
  • WS-Trust 1.3. Uses WS-Security to transfer security tokens, such as passwords, digital certificates and SAML assertions. Non-SOAP Web services have a partial equivalent in XKMS (XML Key Management Specification) and SAML.
  • WS-Federation 1.1. Uses the security tokens transferred in WS-Trust to authenticate to Web services, according to the service's rules as described in WS-SecurityPolicy. Not yet widely used, as SAML provides much of the same functionality. Its main advantage over SAML is Windows support and tight integration with the WS-* stack.
  • Photograph by Tim Flach/Stone/Getty Images

    Return to the story:
    SOA Security: One Treacherous Journey

    Comment  | 
    Print  | 
    More Insights
    The Agile Archive
    The Agile Archive
    When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    InformationWeek Elite 100 - 2014
    Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
    Twitter Feed
    Audio Interviews
    Archived Audio Interviews
    GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.