Secure Socket Layer (SSL) is a commonly used protocol for providing confidentiality, integrity and authentication for messages transmitted over the Internet. It is typically used by Web applications to secure the transactions between the users' browsers and the server over HTTP, in which case the URL usually starts with HTTPS instead of HTTP. SSL is widely used, and it is often applied easily to Web applications, which makes it an attractive choice for Web services and Web sites alike given the fact that Web services are best exposed over HTTP.
If you are looking to merely secure your SOAP messages between two fend points, then SSL is probably your best choice and WS-Security is probably overkill, especially with the heavy XML processing that is involved in WS-Security.
However, SSL is an end-to-end security protocol that makes it too complicated to apply in situations where messages travel among multiple servers or move from one transport to another.
In distributed identity cases, where companies need their business partners to access their services without the ability to own, manage and sync authentication and authorization data for their partners', customers would also find SSL insufficient and may consider the WS-Security SAML profile to communicate security assertions about identities and authorization information, or enable them to provide single signon (SSO) services.
In conclusion, SSL is useful and sufficient for many basic Web services security needs, but it falls short of solving more complex security scenarios, which is where WS-Security with its various profiles can provide a standards-based solution that provides interoperability between different vendors.
This was first published in February 2006