Reviews
SOA Web ServicesSOA Web Services - WS-I Basic Security Profile 1.0
WS-I Basic Security Profile 1.0
The Basic Security Profile was created to address the interoperability issues of secured web services. The profile addresses several key areas listed next:
- Transport Layer Security
- SOAP Message Security
- Username Token Profile
- X.509 Certificate Token Profile
- XML-Signature
- XML Encryption, Algorithms
- Relationship of Basic Security Extension Profile to Basic Profile
- Attachment security
The security profile does not completely guarantee interoperability. However, it addresses the most common problems experienced in practical implementations to increase the probability of interoperability.
The focus is laid on the interoperability characteristics of two main technologies:
- HTTP over TLS—technology that protects the confidentiality of all information that flows over an HTTP connection
- SOAP Message Security
It does not prohibit the use of any encryption algorithms; however, it recommends some TSL & SSL cipher suits.
It is a requirement that the partners exchanging the messages must agree on the following:
- Which elements must be signed and/or encrypted
- Which elements may be signed and/or encrypted
- Which security tokens must be present
- Which security tokens may be present
The profile puts the following conditions on the applications:
The Envelope, Header, or Body elements must not be encrypted. Encrypting these elements breaks the SOAP processing model and is therefore prohibited.
A SOAP intermediary INSTANCE MUST NOT remove or modify any HEADER_ELEMENT unless that SOAP intermediary is acting in the role specified by the S11:actor attribute of that HEADER_ELEMENT.
Messages may be signed and encrypted, potentially by multiple entities signing and encrypting overlapping elements. A signature applied before encryption has different security properties than encryption applied before a signature.
SOAP Message Security defines a Timestamp element for use in SOAP messages. (Time stamp must contain only one CREATED & EXPIRES element)
Thus, to create interoperable secured web services, the conditions just listed must be satisfied. Note that the list is by no means complete, and the reader is referred to the WS-I site (http://www.ws-i.org" target="_blank" rel="nofollow") for full coverage of the security profile. The previous discussions merely give an overview of what is required to create secured interoperable web services.
SOA Web Services
- SOA Web Services - SOA and Web Services Approach for Integration
- SOA Web Services - SOA Evolution
- SOA Web Services - IT Evolution
- SOA Web Services - Patterns
- SOA Web Services - Designing Sound Web Services
- SOA Web Services - Self-Service Business Pattern
- SOA Web Services - Extended Enterprise Business Pattern
- SOA Web Services - Application Integration Pattern
- SOA Web Services - Direct Connection Application Pattern
- SOA Web Services - Broker Application Pattern
- SOA Web Services - Serial Process Application Pattern
- SOA Web Services - Parallel Process Application Pattern
- SOA Web Services - Runtime Patterns
- SOA Web Services - Direct Connection Runtime Pattern
- SOA Web Services - Direct Connection Pattern
- SOA Web Services - Runtime Patterns for Broker
- SOA Web Services - Differences between B2B and EAI Web Services
- SOA Web Services - Writing Interoperable WSDL Definitions
- SOA Web Services - Validating Interoperable WSDL
- SOA Web Services - WS-I Specifications
- SOA Web Services - WS-I Basic Security Profile 1.0
- SOA Web Services - Guidelines for Creating Interoperable Web Services
- SOA Web Services - Java EE and .NET Integration using Web Services
- SOA Web Services - WSDL for Java Web Service
- SOA Web Services - Developing the .NET Web Service
- SOA Web Services - Developing the Test Client







