WS-security specifies extensions to the SOAP message which provide security at message level. WS-security is an extensible protocol so that it can support multiple security models and encryption technology. WS-security focuses on the following areas of security
- Security token validation (authentication) : Authenticating that the sender is the same as she claims.
- Message integrity : The message is not tampered on the way.
- Message confidentiality (encryption and decryption) : The message is not read by unauthorised entities.
Like other WS* specification, WS-security implments the concept by putting extra elements in the SOAP header. The basic elements of the WS-security specifications are:
WS-Security Core Specification
The current version of WS-Security core specification is 1.1 which can be downloaded [http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os...|here]. WS-security has strived to be extensible so that it can server the basic need of different security models which includes:
- Multiple security token formats
- Multiple trust domains
- Multiple signature formats
- Multiple encryption technologies
- End-to-end message content security and not just transport-level security
What WS-security does is that it specifies a format in which the security information is sent. The information is sent as part of SOAP header. WS-security does not deals with the implementaion details like how the authentication context needs to be set up. In simple terms, WS-security tells that how to specify the security details in the SOAP header. People have been doing custom security handling by introducing their own headers. However this leads to non standardization and tools and frameworks cannot help out. WS-security supports both ((SOAP)) 1.1 and 1.2 version.
WS-security supports the following namespaces:
All the information about security is put in SOAP header in a security element
<!-- All the security information goes here. actor attribute tells who
will process the request. mustUnderstand attribute signifies that this header
should be processed. If unable to process SOAP fault should be raised.-->
The user credentials can be passed as username and passwords.
The user credentials can be sent in encoded format also using BinarySecurityToken
- Id - Label for the security token. It is an optional field.
- ValueType - Defines the value type like X509 certificate.
- EncodingType - Encoding format like wsse:Base64Binary
Security Token Reference
Let's now understand security token reference. It helps us in refering to the different part of the SOAP message using id.