What is WS Security?
WS-Security addresses how to maintain a secure context over a multi-point message path.
- Secure services beyond SSL over HTTP (HTTPS) (see http://bit.ly/1afA8Kg for more info)
- SOAP header extensions for end-to-end SOAP messaging security
- Uses
- XML Signature & Encryption - ways to encrypt and sign contents of XML message
- XML Cannonicalization - making XML ready for signing and encrypting
- WS-Security gives a framework to embed the above mentioned technologies into SOAP message - using a transport neutral fashion.
What does WS Security do?
- Pass authentication tokens between services
- Encrypt messages or parts of messages
- Sign messages
- Timestamp messages
- Manage public keys using XKMS
What does WS Security Header contain?
- WS Security SOAP Headers contain info related to
- XML Signature -
- how the message was signed
- the key that was used
- signature
- XML Encryption -
- how the message was encrypted
- WS Security - does not specify the format of the encryption/signature, rather - specifies how one would embed the security information within the header.
- WS Security is the specification for XML based security metadata container.
- All security information in the SOAP (header) part of the message.
WS Security - others?
- Specifies mechanism for transferring simple user credentials using Username Tokens.
- Binary Tokens - that was used for encryption or signing message.
What are the different security models used by WS Security?
- Security Models
- username /password
- certificate based models
- Supports multiple security technologies - Kerberos, PKI, SAML etc.
- Supports multiple security tokens - Kerberos tickets, X.509 certificates, or SAML assertions etc.
Typical scenario
References:
- MSDN - http://bit.ly/1FeJCQ9
- Apache -http://bit.ly/1afy4Ca ,
- Java World - http://bit.ly/1afyaJT
No comments:
Post a Comment