WebSphere Message Brokers
File: ac55640_
Writer: Kate Hostler

Concept topic

This build: July 31, 2007 21:21:07

WS-Security mechanisms

The WS-Security specification provides three mechanisms for securing Web services at the message level. The three mechanisms are authentication, integrity, and confidentiality.

Authentication

This mechanism uses a security token to validate the user and determine whether a client is valid in a particular context. A client can be an end user, machine, application, or import. Without authentication, an attacker can use spoofing techniques to send a modified SOAP message to the service provider.

In authentication, a security token is inserted in the request message of an import. Depending on the type of security token that is being used, the security token may also be inserted in the response message of an export. Several types of security tokens are used in authentication, including:

Username tokens are used to simply validate user names and passwords. They are the sole means of security in basic authentication (and for this reason, basic authentication should only be used in secure networks like HTTPS sites or corporate intranets). When a username token is received by a Web service server, the user name and password are extracted and passed to a user registry for verification. If the user name and password combination is valid, the result is returned to the server and the message is accepted and processed. When used in basic authentication, username tokens are typically only passed in the request message of an import and they are not passed in the response message of an export.

Integrity

This mechanism uses message signing to ensure that information is not changed, altered, or lost in an unauthorized or accidental way. When integrity is implemented, an XML digital signature is generated on the contents of a SOAP message. If the message data changes illegally, the signature is not validated. Without integrity, an attacker can use tampering techniques to intercept a SOAP message between the Web service client and server and then modify it.

Confidentiality

This mechanism uses message encryption to ensure that no unauthorized party or process can access or disclose the information in the message. When a SOAP message is encrypted, only a service that knows the key for confidentiality can decrypt and read the message. Without confidentiality, an attacker can use eavesdropping techniques to intercept a SOAP message and read the contained information.

Related concepts
WS-Security
SOAP message encryption
SOAP message signing
Related tasks
Adding authentication tokens to a SOAP message
Specifying encryption or singing for a SOAP message
Signing or encrypting WS-addressing headers
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:21:07

ac55640_ This topic's URL is: