The SOA world enjoys a, let's say, overabundance
of standards, with the Web Services (WS-*) stack in particular seeming to continuously grow to encompass every possible SOAP use case. However, relatively few standards are specifically designed for security, and those that do all build on top of one another. The foundations are now complete and mature, but the higher levels are still works in progress.
WS-Security 1.1. Describes how XML Encryption and XML Signature can be applied to SOAP documents or messages. Supported by all vendors and used by all other WS-* standards involving security. The latest version, published in February 2006, will likely be the last, as future enhancements will be included in other standards.
WS-SecurityPolicy 1.2. Specifies who is allowed to access a service and how, and restricts the kinds of authentication methods allowed and/or the level of encryption required. It is a subset of WS-Policy, a more general way of expressing a service's capabilities and limitations. Developed by IBM and Microsoft, WS-SecurityPolicy was officially standardized in July 2007 and will eventually be supported by all vendors.
WS-SecureConversation 1.3. A means of implementing the policies expressed in WS-SecurityPolicy using WS-Security. The standard was ratified in March 2007, at which point IBM and Sun demonstrated implementations. Other vendors, including Actional, BEA Systems, Cisco, Computer Associates, Layer 7 Technologies, Oracle, Reactivity, RSA Security, and VeriSign, have also pledged support, though few customers are using it at present.
WS-Trust 1.3. Uses WS-Security to transfer security tokens, such as passwords, digital certificates and SAML assertions. Non-SOAP Web services have a partial equivalent in XKMS (XML Key Management Specification) and SAML.
WS-Federation 1.1. Uses the security tokens transferred in WS-Trust to authenticate to Web services, according to the service's rules as described in WS-SecurityPolicy. Not yet widely used, as SAML provides much of the same functionality. Its main advantage over SAML is Windows support and tight integration with the WS-* stack.
Photograph by Tim Flach/Stone/Getty Images
Return to the story:
SOA Security: One Treacherous Journey