Feature
News
7/27/2007
10:37 AM
Andy Dornan
Andy Dornan
Features
Connect Directly
RSS
E-Mail
50%
50%

WS-* Security Standards: Too Much Of A Good Thing?

The foundations are complete, but the higher levels are still works in progress.

The SOA world enjoys a, let's say, overabundance of standards, with the Web Services (WS-*) stack in particular seeming to continuously grow to encompass every possible SOAP use case. However, relatively few standards are specifically designed for security, and those that do all build on top of one another. The foundations are now complete and mature, but the higher levels are still works in progress.

  • WS-Security 1.1. Describes how XML Encryption and XML Signature can be applied to SOAP documents or messages. Supported by all vendors and used by all other WS-* standards involving security. The latest version, published in February 2006, will likely be the last, as future enhancements will be included in other standards.
  • WS-SecurityPolicy 1.2. Specifies who is allowed to access a service and how, and restricts the kinds of authentication methods allowed and/or the level of encryption required. It is a subset of WS-Policy, a more general way of expressing a service's capabilities and limitations. Developed by IBM and Microsoft, WS-SecurityPolicy was officially standardized in July 2007 and will eventually be supported by all vendors.
  • WS-SecureConversation 1.3. A means of implementing the policies expressed in WS-SecurityPolicy using WS-Security. The standard was ratified in March 2007, at which point IBM and Sun demonstrated implementations. Other vendors, including Actional, BEA Systems, Cisco, Computer Associates, Layer 7 Technologies, Oracle, Reactivity, RSA Security, and VeriSign, have also pledged support, though few customers are using it at present.
  • WS-Trust 1.3. Uses WS-Security to transfer security tokens, such as passwords, digital certificates and SAML assertions. Non-SOAP Web services have a partial equivalent in XKMS (XML Key Management Specification) and SAML.
  • WS-Federation 1.1. Uses the security tokens transferred in WS-Trust to authenticate to Web services, according to the service's rules as described in WS-SecurityPolicy. Not yet widely used, as SAML provides much of the same functionality. Its main advantage over SAML is Windows support and tight integration with the WS-* stack.
  • Photograph by Tim Flach/Stone/Getty Images

    Return to the story:
    SOA Security: One Treacherous Journey

    Comment  | 
    Print  | 
    More Insights
    The Business of Going Digital
    The Business of Going Digital
    Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    InformationWeek Tech Digest - August 27, 2014
    Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    InformationWeek Radio
    Archived InformationWeek Radio
    Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.