Users login

Create an account »


Users login

Home » Hacking News » New tools improve Web services security

New tools improve Web services security

by Nikola Strahija on November 7th, 2002 On the Internet, Web services have been relegated to primarily read-only public services such as ZIP code lookups and Web search engine interfaces. Companies using Web services for intranet or extranet development have found compelling enterprise application integration uses for the technology but only in circumstances in which both systems had well-defined interfaces and secure links.

That's because without extending the standards, the existing Web services protocols had no provision for security outside whatever was provided by the platform. Without the ability to reliably route the SOAP messages generated by Web services either around down servers or through the most efficient path, Web services clients couldn't guarantee that messages could be reliably sent and received between them and the servers hosting Web services.

IBM, Microsoft, and other members of the Web Services Interoperability group (WS-I) have been working for months to agree on security and routing principles to define how development products would implement new extensions to support Web services security and routing. These principles made a big step from the theoretical into reality recently with Microsoft's first release of its Web Services Software Development Kit (WS-SDK).

The standards effort
Perhaps the most important thing to point out about the WS-SDK is that it is Microsoft's implementation of the WS-Security specification published on April 11, 2002. This joint IBM, Microsoft, and Verisign publication of the specification was also submitted to OASIS on June 27. (The public specification was updated on August 20 by IBM, Microsoft, and VeriSign.) In the coming weeks, IBM, BEA, Oracle, and other key WS-I members, who market development tools, will release either toolkits or beta versions that support the now-published specification. Within the next six months, I expect these vendors to release final versions of toolkits that will allow organizations to use the products to create secure, routable Web-services-based applications that work cross-platform without any additional coding or configuration.

The best way to understand how these standards will provide that flexibility is by examining the core elements of the WS-SDK.

The WS-Security standard
Security is the most important issue that companies need to resolve before Web services become usable on public networks. WS-Security describes enhancements to SOAP messaging that provide a means to guarantee message integrity and confidentiality. The standard wasn't designed around a specific security model or encryption technology but was designed to accommodate existing and future technologies in a generic way.

WS-Security also provides a general-purpose mechanism for associating security tokens with messages, which could be useful in a scenario in which, for example, an ISO-9000-certified manufacturer only wants to buy parts from another ISO-9000-certified supplier. In this scenario, rather than requiring the manufacturer to maintain certification information manually, the supplier could electronically request an ISO-9000 certification token from the standards organization and then submit that token along with proof of identity and its message containing bid information for parts it wishes to supply. The proof of identity can be contained in existing X.509 certificates or Kerberos tickets. WS-Security describes how to encode these binary security tokens.

Although Microsoft, IBM, and other key players have agreed to follow WS-I standards, there are still holdouts--most notably Sun, which is pressing the W3C to aid in the standards process and is also championing other standards like the Security Assertion Markup Language (SAML) and the eXtensible rights Markup Language (XrML).

The WS-I anticipated the need for interoperability with non-WS-I participants, so it has also released the Web Services Security Profile for XML-based Tokens. This document describes how to use XML-based tokens such as SAML or XrML with the WS-Security specification.

- article available at -

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »