Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between WS Security Mechanisms

What advantages are there between implementing SOAP messages over SSL by modifying the web.xml/ejb-jar.xml VS modifying the WSDL with a WS-Policy?

Our project can acheive its goal of having our clients (ourselves) access the Web Service over a secured connection by adding a transport-guarantee but we're not sure if that is a complete/correct solution.

like image 411
MikeG Avatar asked Apr 19 '12 14:04

MikeG


People also ask

What is WS-Security and its types?

Web Services Security (WS-Security) describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. WS-Security mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

What is WS-Security authentication?

The OASIS WS-Security specification is the open standard for Web services security. Its goal is to let applications secure SOAP message exchanges by providing encryption, integrity, and authentication support.

Which of these are valid WS-Security implementation mechanisms?

The WS-Security specification provides three mechanisms for securing Web services at the message level: authentication, integrity, and confidentiality.

What are WS-Security tokens?

WS-Security provides a general-purpose mechanism to associate security tokens with messages for single message authentication. It does not require you to use a specific type of security token. Instead, it is extensible and supports multiple security token formats to accommodate various authentication mechanisms.


1 Answers

With SSL, you get a point-to-point encryption between client and service. If the service is not the ultimate receipient of the message, but a proxy that routes this message to another service, you have no encryption between the two services, or you have to configure that also.

WS-Security configured via WS-Policy has the potential to give you end-to-end encryption between the client and the ultimate receipient of the message, because you can encrypt the message body. You do not need to configure SSL for every pair of communicating entities. Every proxy can just route the message on, as defined in the header.

That said, if you do not need end-to-end guarantees, but point-to-point is enough (which is your scenario, as far as I understand), I would say that using SSL is a fair choice.

Another thing to consider is that the WS-Security implementations of client and service need to be able to interoperate. SSL generally is quite mature, but my personal experience is that WS-Security implementations are not. So, if you have different WS-* Stacks for client and server, it might be some hacking and trial-and-error to find a policy configuration that works for both.

like image 147
joergl Avatar answered Sep 30 '22 15:09

joergl