520:, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is not operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security.
22:
427:
Some refer to the pre-OASIS specification as the "WS-Security Draft 13", or as the Web
Services Security Core Specification. However these names are not widely known and indeed today it is hard to clearly identify whether an application or server is using a pre- or post-OASIS specification. Most
423:
The version 1.0 standard published by OASIS contained a number of significant differences to the standard proposed by the IBM, Microsoft and VeriSign consortium. Many systems were developed using the proposed standard and the differences made them incompatible with systems developed to the OASIS
224:
These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security
393:
Web services initially relied on the underlying transport security. In fact, most implementations still do. As SOAP allows for multiple transport bindings, such as HTTP and SMTP, a SOAP-level security mechanism was needed. The lack of end-to-end security because of the dependence on transport
241:
If a SOAP intermediary is required, and the intermediary is not more or less trusted, messages need to be signed and optionally encrypted. This might be the case of an application-level proxy at a network perimeter that will terminate TCP (transmission control protocol) connections.
274:
Even if the web service relies upon transport layer security, it might be required for the service to know about the end user, if the service is relayed by a (HTTP-) reverse proxy. A WSS header could be used to convey the end user's token, vouched for by the reverse proxy.
225:
models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.
299:
The merging of several XML schemata like SOAP, SAML, XML ENC, XML SIG might cause dependencies on different versions of library functions like canonicalization and parsing, which are difficult to manage in an application
331:
An evaluation in 2005 measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on a
Pentium 4/2.8 GHz CPU. Some findings were:
254:
is to write transactions to an audit trail that is subject to specific security safeguards. Digital signatures, which WS-Security supports, provide a more direct and verifiable non-repudiation proof.
328:
WS-Security adds significant overhead to SOAP processing due to the increased size of the message on the wire, XML and cryptographic processing, requiring faster CPUs and more memory and bandwidth.
412:
In 2002, two proposals were submitted to the OASIS WSS Technical
Committee: Web Service Security (WS-Security) and Web Services Security Addendum. As a result, WS-Security was published:
505:. WS-Security, however, addresses the wider problem of maintaining integrity and confidentiality of messages until after a message is sent from the originating node, providing so-called
284:
If there are frequent message exchanges between service provider and consumer, the overhead of XML SIG and XML ENC are significant. If end-to-end security is required, a protocol like
889:
194:
The specification allows a variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as:
148:
The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as
345:
It took less than 10 milliseconds to sign or encrypt up to an array of 100 kilobytes, but it took about 100~200 to perform the security operations for SOAP.
228:
Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.
773:
849:
743:
Web
Services Interoperability Technologies (WSIT) that enable interoperability between the Java platform and Windows Communication Foundation (WCF)
529:
819:
588:
874:
965:
960:
914:
894:
859:
824:
682:
534:
342:
Depending on the type of message, WS-SecureConversation either made no difference or reduced processing time by half in the best case.
149:
138:
794:
105:
929:
829:
924:
899:
864:
43:
512:
Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into
766:
86:
970:
58:
39:
884:
312:
339:
Encryption and signing together were 2–7 times slower than signing alone and produced significantly bigger documents.
809:
799:
409:. Their original specification was published on 5 April 2002 and was followed up by an addendum on 18 August 2002.
65:
32:
571:
844:
804:
759:
498:
428:
forum posts use the keyword "WSSE" to refer to the pre-OASIS version because it mandated the use of a "wsse"
72:
660:
292:
signing, as the combination of both is significantly slower than the mere sum of the single operations. See
304:
740:
516:
before sending. A challenge in using TLS would be if messages needed to go through an application-level
463:
316:
285:
54:
783:
620:
Francois
Lascelles, Aaron Flint: WS Security Performance. Secure Conversation versus the X509 Profile
506:
263:
142:
595:
153:
539:
448:
645:
308:
218:
714:
452:
262:
Although almost all SOAP services implement HTTP bindings, in theory other bindings such as
217:
WS-Security incorporates security features in the header of a SOAP message, working in the
490:
478:
251:
181:
130:
661:
Giovanni Della-Libera, Phillip Hallam-Baker
Maryann Hondo: Web Services Security Addendum
307:
is applied or if the CBC mode decryption is applied without verifying a secure checksum (
79:
708:
671:
494:
165:
589:"Hongbin Liu, Shrideep Pallickara, Geoffrey Fox: Performance of Web Services Security"
572:"Padding Oracle Attacks – breaking theoretical secure cryptosystems in the real world"
954:
869:
444:
429:
161:
619:
919:
854:
734:
630:
517:
435:
The protocol is officially called WSS and developed via committee in Oasis-Open.
214:
The token formats and semantics are defined in the associated profile documents.
879:
134:
21:
693:
459:
402:
180:
How to sign SOAP messages to assure integrity. Signed messages also provide
746:
266:
or SMTP could be used; in this case end-to-end security would be required.
315:) before decryption then the implementation is likely to be vulnerable to
467:
406:
814:
458:
The following approved specifications are associated with WS-Security:
751:
719:
471:
443:
The following draft specifications are associated with WS-Security:
939:
909:
834:
549:
544:
502:
157:
730:
288:
may reduce the overhead. If it's sufficient, use only encryption
190:
How to attach security tokens to ascertain the sender's identity.
839:
755:
724:
683:
Web
Services Security: SOAP Message Security – Working Draft 13
904:
513:
398:
15:
432:
prefix to the URL (and similar URLs of different versions).
646:
Bob
Atkinson, et al.: Web Services Security (WS-Security)
631:
Bob
Atkinson, et al.: Web Services Security (WS-Security)
497:
can also be enforced on Web services through the use of
349:
Another benchmark in 2006 resulted in this comparison:
187:
How to encrypt SOAP messages to assure confidentiality.
552:– the standard for fine-grained dynamic authorization.
711:(Contains links to download specification documents.)
477:
The following architectures make use of WS-Security:
371:
WS-SecureConversation XML Signature & Encryption
363:WS-Security (X.509) XML Signature & Encryption
46:. Unsourced material may be challenged and removed.
416:WS-Security 1.0 was released on 19 April 2004.
767:
727:(WS-Security Java Implementation from Apache)
501:(TLS), for example, by sending messages over
419:Version 1.1 was released on 17 February 2006.
176:WS-Security describes three main mechanisms:
8:
774:
760:
752:
397:The protocol was originally developed by
106:Learn how and when to remove this message
351:
562:
530:WS-Security based products and services
733:(WS-Security Java Implementation from
7:
44:adding citations to reliable sources
720:Web Services Security Documentation
336:Encryption was faster than signing.
270:Reverse proxy/common security token
150:Security Assertion Markup Language
14:
293:
168:to provide end-to-end security.
20:
160:. Its main focus is the use of
31:needs additional citations for
672:OASIS Web Services Security TC
305:CBC mode encryption/decryption
258:Alternative transport bindings
1:
489:In point-to-point situations
394:security was another factor.
204:User ID/Password credentials,
715:WS-I Basic Security Profile
709:Web Services Security 1.1.1
540:WS-I Basic Security Profile
987:
966:Computer security software
961:Web service specifications
747:python ws-security example
577:. Ruhr Universität Bochum.
139:Web service specifications
790:
439:Associated specifications
379:Transport Layer Security
499:Transport Layer Security
137:. It is a member of the
317:padding oracle attacks
210:custom-defined tokens.
464:WS-SecureConversation
286:WS-SecureConversation
141:and was published by
133:to apply security to
129:) is an extension to
119:Web Services Security
207:SAML Assertions, and
40:improve this article
971:XML-based standards
694:schemas.xmlsoap.org
650:schemas.xmlsoap.org
601:on 24 February 2021
507:end to end security
355:Security mechanism
237:End-to-end security
198:X.509 certificates,
635:msdn.microsoft.com
570:Sabarnij, Sergej.
948:
947:
386:
385:
219:application layer
201:Kerberos tickets,
116:
115:
108:
90:
978:
776:
769:
762:
753:
696:
691:
685:
680:
674:
669:
663:
658:
652:
643:
637:
628:
622:
617:
611:
610:
608:
606:
600:
594:. Archived from
593:
585:
579:
578:
576:
567:
358:Messages/second
352:
111:
104:
100:
97:
91:
89:
48:
24:
16:
986:
985:
981:
980:
979:
977:
976:
975:
951:
950:
949:
944:
786:
780:
705:
700:
699:
692:
688:
681:
677:
670:
666:
659:
655:
644:
640:
629:
625:
618:
614:
604:
602:
598:
591:
587:
586:
582:
574:
569:
568:
564:
559:
526:
491:confidentiality
487:
441:
391:
326:
281:
272:
260:
252:non-repudiation
250:One method for
248:
246:Non-repudiation
239:
234:
182:non-repudiation
174:
112:
101:
95:
92:
49:
47:
37:
25:
12:
11:
5:
984:
982:
974:
973:
968:
963:
953:
952:
946:
945:
943:
942:
937:
932:
927:
922:
917:
912:
907:
902:
897:
892:
887:
882:
877:
872:
867:
862:
857:
852:
847:
842:
837:
832:
827:
822:
817:
812:
807:
802:
797:
791:
788:
787:
781:
779:
778:
771:
764:
756:
750:
749:
744:
738:
731:Apache Rampart
728:
722:
717:
712:
704:
703:External links
701:
698:
697:
686:
675:
664:
653:
638:
623:
612:
580:
561:
560:
558:
555:
554:
553:
547:
542:
537:
532:
525:
522:
495:data integrity
486:
483:
440:
437:
421:
420:
417:
390:
387:
384:
383:
380:
376:
375:
372:
368:
367:
364:
360:
359:
356:
347:
346:
343:
340:
337:
325:
322:
321:
320:
301:
297:
280:
277:
271:
268:
259:
256:
247:
244:
238:
235:
233:
230:
212:
211:
208:
205:
202:
199:
192:
191:
188:
185:
173:
170:
166:XML Encryption
114:
113:
28:
26:
19:
13:
10:
9:
6:
4:
3:
2:
983:
972:
969:
967:
964:
962:
959:
958:
956:
941:
938:
936:
933:
931:
928:
926:
923:
921:
918:
916:
913:
911:
908:
906:
903:
901:
898:
896:
893:
891:
888:
886:
883:
881:
878:
876:
873:
871:
870:SOAP-over-UDP
868:
866:
863:
861:
858:
856:
853:
851:
848:
846:
843:
841:
838:
836:
833:
831:
828:
826:
823:
821:
818:
816:
813:
811:
808:
806:
803:
801:
798:
796:
793:
792:
789:
785:
782:Standards of
777:
772:
770:
765:
763:
758:
757:
754:
748:
745:
742:
739:
736:
732:
729:
726:
723:
721:
718:
716:
713:
710:
707:
706:
702:
695:
690:
687:
684:
679:
676:
673:
668:
665:
662:
657:
654:
651:
647:
642:
639:
636:
632:
627:
624:
621:
616:
613:
597:
590:
584:
581:
573:
566:
563:
556:
551:
548:
546:
543:
541:
538:
536:
533:
531:
528:
527:
523:
521:
519:
515:
510:
508:
504:
500:
496:
492:
484:
482:
480:
475:
473:
469:
465:
461:
456:
454:
450:
446:
445:WS-Federation
438:
436:
433:
431:
430:XML namespace
425:
418:
415:
414:
413:
410:
408:
404:
400:
395:
388:
381:
378:
377:
373:
370:
369:
365:
362:
361:
357:
354:
353:
350:
344:
341:
338:
335:
334:
333:
329:
323:
318:
314:
310:
306:
302:
298:
295:
291:
287:
283:
282:
278:
276:
269:
267:
265:
257:
255:
253:
245:
243:
236:
231:
229:
226:
222:
220:
215:
209:
206:
203:
200:
197:
196:
195:
189:
186:
183:
179:
178:
177:
171:
169:
167:
163:
162:XML Signature
159:
155:
151:
146:
144:
140:
136:
132:
128:
124:
120:
110:
107:
99:
88:
85:
81:
78:
74:
71:
67:
64:
60:
57: –
56:
55:"WS-Security"
52:
51:Find sources:
45:
41:
35:
34:
29:This article
27:
23:
18:
17:
934:
920:WS-Discovery
855:OpenDocument
735:Apache Axis2
689:
678:
667:
656:
649:
641:
634:
626:
615:
603:. Retrieved
596:the original
583:
565:
518:proxy server
511:
488:
476:
457:
442:
434:
426:
422:
411:
396:
392:
348:
330:
327:
289:
273:
261:
249:
240:
227:
223:
216:
213:
193:
175:
147:
135:Web services
126:
122:
118:
117:
102:
93:
83:
76:
69:
62:
50:
38:Please help
33:verification
30:
485:Alternative
324:Performance
294:Performance
123:WS-Security
955:Categories
605:12 January
557:References
449:WS-Privacy
424:standard.
66:newspapers
460:WS-Policy
403:Microsoft
309:signature
232:Use cases
96:July 2024
524:See also
468:WS-Trust
407:VeriSign
303:If only
172:Features
154:Kerberos
152:(SAML),
915:WS-BPEL
815:DocBook
453:WS-Test
389:History
300:server.
80:scholar
472:ID-WSF
405:, and
296:below.
279:Issues
156:, and
82:
75:
68:
61:
53:
940:XACML
910:XLIFF
880:TOSCA
835:ebXML
784:OASIS
725:WSS4J
599:(PDF)
592:(PDF)
575:(PDF)
550:XACML
545:X.509
503:HTTPS
382:2918
158:X.509
143:OASIS
87:JSTOR
73:books
930:WSRP
925:WSRF
895:WSDM
890:UDDI
875:SPML
860:SAML
850:KMIP
840:EDXL
830:DPWS
825:DSML
820:DITA
795:AMQP
741:WSIT
607:2010
535:SAML
493:and
479:TAS3
374:798
366:352
164:and
131:SOAP
59:news
935:WSS
905:XDI
900:XRI
885:UBL
865:SDD
845:EML
810:DSS
805:CAP
800:CAM
514:XML
399:IBM
313:MAC
311:or
264:JMS
127:WSS
42:by
957::
648:.
633:.
509:.
481:.
474:.
470:,
466:,
462:,
455:.
451:,
447:,
401:,
290:or
221:.
145:.
125:,
775:e
768:t
761:v
737:)
609:.
319:.
184:.
121:(
109:)
103:(
98:)
94:(
84:·
77:·
70:·
63:·
36:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.