Tutorials SOA Web ServicesThe Basic Security Profile was created to address the interoperability issues of secured web services. The profile addresses several key areas listed next:
The security profile does not completely guarantee interoperability. However, it addresses the most common problems experienced in practical implementations to increase the probability of interoperability.
The focus is laid on the interoperability characteristics of two main technologies:
It does not prohibit the use of any encryption algorithms; however, it recommends some TSL & SSL cipher suits.
It is a requirement that the partners exchanging the messages must agree on the following:
The profile puts the following conditions on the applications:
The Envelope, Header, or Body elements must not be encrypted. Encrypting these elements breaks the SOAP processing model and is therefore prohibited.
A SOAP intermediary INSTANCE MUST NOT remove or modify any HEADER_ELEMENT unless that SOAP intermediary is acting in the role specified by the S11:actor attribute of that HEADER_ELEMENT.
Messages may be signed and encrypted, potentially by multiple entities signing and encrypting overlapping elements. A signature applied before encryption has different security properties than encryption applied before a signature.
SOAP Message Security defines a Timestamp element for use in SOAP messages. (Time stamp must contain only one CREATED & EXPIRES element)
Thus, to create interoperable secured web services, the conditions just listed must be satisfied. Note that the list is by no means complete, and the reader is referred to the WS-I site (http://www.ws-i.org" target="_blank" rel="nofollow") for full coverage of the security profile. The previous discussions merely give an overview of what is required to create secured interoperable web services.
