Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between WS Security Mechanisms

Tags:

wsdl

ssl

web-services

ws-security

What advantages are there between implementing SOAP messages over SSL by modifying the web.xml/ejb-jar.xml VS modifying the WSDL with a WS-Policy?

Our project can acheive its goal of having our clients (ourselves) access the Web Service over a secured connection by adding a transport-guarantee but we're not sure if that is a complete/correct solution.

like image 411
MikeG Avatar asked Apr 19 '12 14:04

MikeG

People also ask

What is WS-Security and its types?

Web Services Security (WS-Security) describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. WS-Security mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

What is WS-Security authentication?

The OASIS WS-Security specification is the open standard for Web services security. Its goal is to let applications secure SOAP message exchanges by providing encryption, integrity, and authentication support.

Which of these are valid WS-Security implementation mechanisms?

The WS-Security specification provides three mechanisms for securing Web services at the message level: authentication, integrity, and confidentiality.

What are WS-Security tokens?

WS-Security provides a general-purpose mechanism to associate security tokens with messages for single message authentication. It does not require you to use a specific type of security token. Instead, it is extensible and supports multiple security token formats to accommodate various authentication mechanisms.

1 Answers

With SSL, you get a point-to-point encryption between client and service. If the service is not the ultimate receipient of the message, but a proxy that routes this message to another service, you have no encryption between the two services, or you have to configure that also.

WS-Security configured via WS-Policy has the potential to give you end-to-end encryption between the client and the ultimate receipient of the message, because you can encrypt the message body. You do not need to configure SSL for every pair of communicating entities. Every proxy can just route the message on, as defined in the header.

That said, if you do not need end-to-end guarantees, but point-to-point is enough (which is your scenario, as far as I understand), I would say that using SSL is a fair choice.

Another thing to consider is that the WS-Security implementations of client and service need to be able to interoperate. SSL generally is quite mature, but my personal experience is that WS-Security implementations are not. So, if you have different WS-* Stacks for client and server, it might be some hacking and trial-and-error to find a policy configuration that works for both.

like image 147
joergl Avatar answered Sep 30 '22 15:09

joergl
Sign in to Comment

Related questions

How to wrap a C library so that it can be called from a web service
In XML Web Services, what is the best practice for passing exceptions back to the client?
Spring Webservices and Json
Return XML data from a web service
WCF and Authentication
PHP: XML file to string which is faster file_get_contents or simplexml_load_file with asXML()
Axis2 - always getting 404 errors
JAX-WS endpoint only partially escaping XML String
Get JSON data with jQuery from a .NET service: confused with ajax setup
How to authenticate restful web service using oAuth
Presenting missing values as null or not at all in JSON
Connecting SAP to remote webservices using cURL
How to give access to WCF web service hosted on IIS only for specific users?
Integer value is lost in web service call
Return JSON from ASMX web service, without XML wrapper?
Multisite application with single sign in across domains in Rails?
"Exception javax.xml.ws.WebServiceException: Unsupported endpoint address" trying to call web service using JAX-WS 2.1
How many custom MIME types in a RESTful web API?
Check if a webservice exists
WebService behind reverse proxy

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!