The WS-Security specification provides three mechanisms for securing Web services at the message level. The three mechanisms are authentication, integrity, and confidentiality.
This mechanism uses a security token to validate the user and determine whether a client is valid in a particular context. A client can be an end user, machine, application, or import. Without authentication, an attacker can use spoofing techniques to send a modified SOAP message to the service provider.
In authentication, a security token is inserted in the request message of an import. Depending on the type of security token that is being used, the security token may also be inserted in the response message of an export. Several types of security tokens are used in authentication, including:
Username tokens are used to simply validate user names and passwords. They are the sole means of security in basic authentication (and for this reason, basic authentication should only be used in secure networks like HTTPS sites or corporate intranets). When a username token is received by a Web service server, the user name and password are extracted and passed to a user registry for verification. If the user name and password combination is valid, the result is returned to the server and the message is accepted and processed. When used in basic authentication, username tokens are typically only passed in the request message of an import and they are not passed in the response message of an export.
This mechanism uses message signing to ensure that information is not changed, altered, or lost in an unauthorized or accidental way. When integrity is implemented, an XML digital signature is generated on the contents of a SOAP message. If the message data changes illegally, the signature is not validated. Without integrity, an attacker can use tampering techniques to intercept a SOAP message between the Web service client and server and then modify it.
This mechanism uses message encryption to ensure that no unauthorized party or process can access or disclose the information in the message. When a SOAP message is encrypted, only a service that knows the key for confidentiality can decrypt and read the message. Without confidentiality, an attacker can use eavesdropping techniques to intercept a SOAP message and read the contained information.