10:37 AM
Andy Dornan
Andy Dornan

WS-* Security Standards: Too Much Of A Good Thing?

The foundations are complete, but the higher levels are still works in progress.

The SOA world enjoys a, let's say, overabundance of standards, with the Web Services (WS-*) stack in particular seeming to continuously grow to encompass every possible SOAP use case. However, relatively few standards are specifically designed for security, and those that do all build on top of one another. The foundations are now complete and mature, but the higher levels are still works in progress.

  • WS-Security 1.1. Describes how XML Encryption and XML Signature can be applied to SOAP documents or messages. Supported by all vendors and used by all other WS-* standards involving security. The latest version, published in February 2006, will likely be the last, as future enhancements will be included in other standards.
  • WS-SecurityPolicy 1.2. Specifies who is allowed to access a service and how, and restricts the kinds of authentication methods allowed and/or the level of encryption required. It is a subset of WS-Policy, a more general way of expressing a service's capabilities and limitations. Developed by IBM and Microsoft, WS-SecurityPolicy was officially standardized in July 2007 and will eventually be supported by all vendors.
  • WS-SecureConversation 1.3. A means of implementing the policies expressed in WS-SecurityPolicy using WS-Security. The standard was ratified in March 2007, at which point IBM and Sun demonstrated implementations. Other vendors, including Actional, BEA Systems, Cisco, Computer Associates, Layer 7 Technologies, Oracle, Reactivity, RSA Security, and VeriSign, have also pledged support, though few customers are using it at present.
  • WS-Trust 1.3. Uses WS-Security to transfer security tokens, such as passwords, digital certificates and SAML assertions. Non-SOAP Web services have a partial equivalent in XKMS (XML Key Management Specification) and SAML.
  • WS-Federation 1.1. Uses the security tokens transferred in WS-Trust to authenticate to Web services, according to the service's rules as described in WS-SecurityPolicy. Not yet widely used, as SAML provides much of the same functionality. Its main advantage over SAML is Windows support and tight integration with the WS-* stack.
  • Photograph by Tim Flach/Stone/Getty Images

    Return to the story:
    SOA Security: One Treacherous Journey

    Comment  | 
    Print  | 
    More Insights
    Newest First  |  Oldest First  |  Threaded View
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    Top IT Trends to Watch in Financial Services
    IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
    Twitter Feed
    InformationWeek Radio
    Archived InformationWeek Radio
    Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.