With WS-Security, getting down to the business of providing interfaces and programming toolkits that all "speak the same language" has become easier and developers can begin to use the benefits of these efforts. A SOAP message, on its own, can be authenticated, its integrity verified, and it can be encrypted in whole or in part using the mechanisms defined in WS-Security. The architectural model of WSE is built on a "pipeline" of filters that process inbound and outbound SOAP messages. This is built on the pre-existing SOAPExtension classes, and developers who have experimented with SOAP Extensions for compression, encryption, logging and other purposes will find the implementation familiar.
WS-Security and the WS-Security addendum are published at http://msdn.microsoft.com/ws/2002/04/security and http://msdn.microsoft.com/ws/2002/07/Security respectively. Since the release of WS-Security it is emerging as the primary industry standard for secure Web service communication. This spcification fully leverages the existing XML signature and XML encryption protocols and optimizes them for use in SOAP message-based Web services environment to support the transmission of security tokens as well as encryo\ption and digital signatures. WS-Security describes the folowing SOAP header elements:
- Security - the root WS-Security element in the SOAP header
- UsenameToken - A child element that supports simple username and password authentication mechanisms
- BinarySecurityToken - A child element that supports binary-based security tokens such as Kerberos tickets and X.509 certificates
- SecurityTokenReference - A child element that supports referencing remote security tokens that are available at a URI
- KeyInfo - A chil element that supports inclusion of key information (derived from XML signature)
- Signature - A child element that supports signing one or more parts of a SOAP message (based on XML signature)
- ReferenceList - A child element that supports referencing one or more encrypted elements in the body of a SOAP message (based on XML encryption)
- EncryptedKey - An element that supports encryptionspecifically for keys (based on XML encryption)
- EncryptedData - A child element that supports including additional encrypted data in a SOAP header (based on XML encryption)
- Timestamp - The WS-Security Addendum specification that supports including timestamp info in the SOAP header that can be used to prevent replay attackes when an attacker tries to reuse an ols message.