Problem solve Get help with specific problems with your technologies, process and projects.

The importance of WS-Security

The WS-Security standard is much more than just SSL. Expert Rami Jaamour explains the differences between these two security mechanisms and what's best for Web services security.

What is WS-Security? Why can't I just use SSL?
WS-Security is a standard from OASIS that builds on W3C's generic XML encryption and signature standards for the purpose of securing SOAP messages. WS-Security can be used to enforce confidentiality, integrity or include authentication information in SOAP messages. WS-Security deals with mechanisms that secure the SOAP messages at the message layer, meaning that the encryption, digital signature, authentication and authorization meta data are included within the SOAP message (in the SOAP header element) as XML instead of relying on the communication transport to apply the security.

Secure Socket Layer (SSL) is a commonly used protocol for providing confidentiality, integrity and authentication for messages transmitted over the Internet. It is typically used by Web applications to secure the transactions between the users' browsers and the server over HTTP, in which case the URL usually starts with HTTPS instead of HTTP. SSL is widely used, and it is often applied easily to Web applications, which makes it an attractive choice for Web services and Web sites alike given the fact that Web services are best exposed over HTTP.

If you are looking to merely secure your SOAP messages between two fend points, then SSL is probably your best choice and WS-Security is probably overkill, especially with the heavy XML processing that is involved in WS-Security.

However, SSL is an end-to-end security protocol that makes it too complicated to apply in situations where messages travel among multiple servers or move from one transport to another.

More Information
SOA requires enterprise application security integration architecture

Why are Web services more vulnerable than Web apps?

Put Web services security on front burner
Besides, SSL is an all-or-nothing protocol. You can only use it to secure the entire communication pipe. If you have different security considerations at different stages of message processing, then SSL would not be sufficient. For example, a health records system may need to transmit patients' records securely to the doctor's office in a way that allows the doctor's system to decrypt and view the patient's medical information only, but the same record should allow the patient's insurance and financial information to be decrypted only by the billing system. SSL does not provide a solution in this case where different parts of the message need to be secured with different mechanisms or with different keys owned by different entities.

In distributed identity cases, where companies need their business partners to access their services without the ability to own, manage and sync authentication and authorization data for their partners', customers would also find SSL insufficient and may consider the WS-Security SAML profile to communicate security assertions about identities and authorization information, or enable them to provide single signon (SSO) services.

In conclusion, SSL is useful and sufficient for many basic Web services security needs, but it falls short of solving more complex security scenarios, which is where WS-Security with its various profiles can provide a standards-based solution that provides interoperability between different vendors.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.