Q

When to use WS-Security and SSL

When should you use WS-Security and when should you SSL? Web services security expert Alex Smolen advises.

When should I use WS-Security? What about SSL?
WS-Security is a standard ratified by OASIS (Organization for the Advancement of Structured Information Standards) to provide an interoperability framework for performing security functions through SOAP. WS-Security is used to guarantee confidentiality and integrity to SOAP messages using XML Encryption and XML Signature, and it provides a common mechanism for describing credentials so that a wide range of authentication mechanisms can be used (Kerberos, X.509, standard usernames and passwords).

SSL (Secure Sockets Layer) is a protocol on top of HTTP that provides confidentiality, integrity and standardized credential (sound familiar?) using encryption, digital signatures (MACs or Message Access Codes) and digital certificates. Web sites that begin with https:// rather than http:// use SSL to secure the traffic and verify authenticity.

Given the overlapping nature of SSL and WS-Security, why is one a better choice?

There are two main problems with SSL that drove the development of WS-Security:

  1. SSL uses HTTP. Web Services not using HTTP cannot use SSL.
  2. SSL is point-to-point. It is not granular and messages must be decrypted at any intermediate waypoint.

So, if either of these issues impacts your architecture, use WS-Security. Otherwise, SSL is an option. SSL benefits include being easily configurable and mature. It isn't unsafe to use, just inflexible and inadaptable to larger, more complex security architectures. If you need to verify that only certain users can access a service, or that messages aren't being read or modified in transit, and you need a granular, interoperable way to do so, you should use WS-Security for your Web services.
This was first published in January 2006

Dig deeper on Software Security Testing Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close