Home

WSSecurity

Web Services Security (WS-Security) is a specification developed by OASIS that extends SOAP with a security model to provide message integrity, confidentiality, and authentication. It describes how to attach security tokens to SOAP messages, how to sign and/or encrypt header or body data, and how to protect against replay attacks.

The core feature is the SOAP header wsse:Security containing signatures (ds:Signature), encrypted data (ds:EncryptedData), and tokens

WS-Security is complemented by related specifications such as WS-Trust for issuing and renewing tokens, WS-SecurityPolicy for

such
as
UsernameToken
and
BinarySecurityToken
for
X.509
or
SAML
assertions.
Signatures
ensure
integrity
and
non-repudiation
of
parts
of
the
message;
encryption
ensures
confidentiality.
Timestamps
help
prevent
replay
attacks.
WS-Security
is
token-driven:
a
client
obtains
a
security
token
from
a
token
service
and
presents
it
in
the
message;
the
service
validates
the
token
and
enforces
policy.
expressing
security
requirements,
and
SAML
for
assertions.
It
is
widely
deployed
in
enterprise
SOAP-based
web
services,
but
it
is
not
a
transport
security
standard;
TLS
(HTTPS)
is
commonly
used
in
conjunction
with
WS-Security.
The
standard
is
complex
and
can
introduce
interoperability
challenges
and
performance
overhead,
requiring
careful
implementation
and
policy
agreement
between
interacting
services.