Web Services Security (WS-Security)

WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

WS-Security also provides a general-purpose mechanism for associating security tokens with messages. No specific type of security token is required by WS-Security. It is designed to be extensible (e.g. support multiple security token formats). For example, a client might provide proof of identity and proof that they have a particular business certification.

Additionally, WS-Security describes how to encode binary security tokens. Specifically, the specification describes how to encode X.509 certificates and Kerberos tickets as well as how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the credentials that are included with a message.

• White Paper (November 8, 2000): Click here
• W3C NOTE: SOAP Security Extensions: Digital Signature (February 6, 2001).
  A related developerWorks article: SOAP-DSIG and SSL (August 2001).
• Latest Proposals (April 2002):
  1. Security in a Web Services World: A Proposed Architecture and Roadmap
  2. Web Services Security (WS-Security)

The implementation of WS-Security is available as part of Web Services Toolkit (WSTK). It is based on the above proposals.

• W3C Web Services Activity
• SOAP 1.1 Specification (Japanese translation is also available)
• Apache Axis
• Apache SOAP
• Archives of SOAP@DISCUSS.DEVELOP.COM
• Soap.Weblogs.Com
• SOAP - Web Resource Center
• DevelopMentor: SOAP Page