Web Services Security

SOAP security standards

Standalone applications always were prone to more security concerns and also were overlooked as afterthought in development cycle.

After the advent of web services over networks, Security has become more important and many security concerns were brought into light and attackers are increasingly targeting the applications over the web.

Due to reduce costs, security is always neglected in projects but if its fully integrated as part of development cycle, then a strong security can be planned and built to secure and the shield the standalone or applications exposed over the web. A better process can be established to re-evaluate, monitor and to identify any potential threats.

Enough of talking about security, now lets focus on security components that needs to be kept in mind by the developers/architects of web services.













An user, an application or a process first needs to be identified and verified by the authentication step. This is the first step to make sure if the entity that is trying to access a web service is a known/trusted. Usually this process is implemented using the username/password combination or a security pin or a swiping card or a thumb impression scanning. In Web service context, a authentication occurs usually by a certificates.



An authenticated entity such as user,application or a process have to match the permission restrictions applied on a resource access. in this case, it could be an write/delete operation over an XML files, databases of a web service. If the authenticated entity has adequate access/role, then access to that intended resource is granted, else access will be denied.


Auditing &  Logging

Auditing involves the process of auditing the various component usage, attempts and access duration and can log the information/details in a logging system. System components can be a database, operating system resources and application files.



Integrity comes into picture when a data is in transit, considerations should be to focus on to be secured and data is not compromised to ensure the integrity.



Encryption is a process of ciphering the data with mathematical algorithms such as hash functions on some twisting and shifting patterns before sending over a network to a destination receiver to protect from intermediary data thief.

Decryption is to reverse/decipher  the encrypted data using the mathematical algorithms to get the data into same original state.


Web Security standards

Web security standards are available in wide variety over the internet but OASIS( Organization for the advancement of syructures information standards) being one of the Web Security standard called WS-Security SOAP messaging.

WS-Security involves number of related standards when combined together, it could transform our environment into a complete secured zone.most of the security standards rely on passing token to deal with authentication and authorization.

We can implement Token profiles in various ways.

  • WS-Security Username
  • WS-Security Kerberos
  • WS-Security SAML
  • WS-Security X.509 Certificate
  • WS-Security REL


WS-Security Username

This profile specifies how a logon credentials can be transmitted when using the SOAP WS-Security messaging.


WS-Security Kerberos

This profile facilitates us to use Kerberos tickets with WS- security soap messaging.


WS-Security SAML

WS- Security Security Assertion Markup Language,or SAML token profile is used to identify entities, entity authorization credentials and responding with authorization verdicts.


WS-Security REL

This profile uses Rights Expression Language to complete the authorization in Simple object access using authorization tokens and attribute licenses.


WS-Security X.509 Certificate

This X.509 certificates facilitate the use of X.509 certificates, which holds the user/process information and other details.

The WS-security family includes various OASIS Standards such as WS-Trust , WS-Federation, WS-SecureConversation and WS-Policy Framework and WS-Security policy.

All these standards provide a protocol and a security token service or STS for requesting and issuing the security tokens.

Clients issue a toke request in order to access the resources.To establish this trust between the client and the service, the tokens are created by the service provider as per the agreement between the security polices of each client and the service provider.

For more detailed explanation , please kindly refer the OASIS site.

SAML and XACML are two security standrads reorganized by OASIS which were not part of WS- Security which works in conjunction with security standards such as security federation and WS-trust.

more details will be included in practical demos as part of other articles that has security related concepts.

Written by Ramesh Metta

Leave a Reply

Your email address will not be published. Required fields are marked *