WS Security

WS-security specifies extensions to the SOAP message which provide security at message level. WS-security is an extensible protocol so that it can support multiple security models and encryption technology. WS-security focuses on the following areas of security
 

• Security token validation (authentication) : Authenticating that the sender is the same as she claims.
• Message integrity : The message is not tampered on the way.
• Message confidentiality (encryption and decryption) : The message is not read by unauthorised entities.

Like other WS* specification, WS-security implments the concept by putting extra elements in the SOAP header. The basic elements of the WS-security specifications are:

• WS-Security Core Specification

The current version of WS-Security core specification is 1.1 which can be downloaded [http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os...|here]. WS-security has strived to be extensible so that it can server the basic need of different security models which includes:

• Multiple security token formats
• Multiple trust domains
• Multiple signature formats
• Multiple encryption technologies
• End-to-end message content security and not just transport-level security

What WS-security does is that it specifies a format in which the security information is sent. The information is sent as part of SOAP header. WS-security does not deals with the implementaion details like how the authentication context needs to be set up. In simple terms, WS-security tells that how to specify the security details in the SOAP header. People have been doing custom security handling by introducing their own headers. However this leads to non standardization and tools and frameworks cannot help out. WS-security supports both ((SOAP)) 1.1 and 1.2 version.

WS-security supports the following namespaces:

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity263sec...
• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity265uti...
• http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd

All the information about security is put in SOAP header in a security element

<soap:Envelope>
   <soap:Header>
    ...
  <wsse:Security
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex...
   soap:actor="..." soap:mustUnderstand="...">
  <!-- All the security information goes here. actor attribute tells who
    will process the request. mustUnderstand attribute signifies that this header
    should be processed. If unable to process SOAP fault should be raised.-->
 </wsse:Security>
 ...
 </soap:Header>
 ...
</soap:Envelope>

Sending Credentials

The user credentials can be passed as username and passwords.

<wsse:Security>
    <wsse:UsernameToken>
         <wsse:Username>oyejava</wsse:Username>
         <wsse:Password>oyejava</wsse:Password>
    </wsse:UsernameToken>
</wsse:Security>

The user credentials can be sent in encoded format also using BinarySecurityToken

<BinarySecurityToken Id=...
                      EncodingType=...
                      ValueType=.../>

• Id - Label for the security token. It is an optional field.
• ValueType - Defines the value type like X509 certificate.
• EncodingType - Encoding format like  wsse:Base64Binary

Security Token Reference

Let's now understand security token reference. It helps us in refering to the different part of the SOAP message using id.

<soap:Envelope xmlns="...">
   <soap:Header>
      <wsse:Security
             xmlns:wsse="...">
        <ds:Signature>
            ...
            <ds:KeyInfo>
                <wsse:SecurityTokenReference>
                 <wsse:Reference URI="soapBody"/>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
      </wsse:Security>
  </soap:Header>
  <soap:Body>
    ...
  </soap:Body>
</soap:Envelope>