ws security protocol n.
Skip this Video
Loading SlideShow in 5 Seconds..
WS-Security Protocol PowerPoint Presentation
Download Presentation
WS-Security Protocol

Loading in 2 Seconds...

play fullscreen
1 / 15

WS-Security Protocol - PowerPoint PPT Presentation

  • Uploaded on

WS-Security Protocol. Ramkumar Chandrasekharan CS 265. Web Services (WS) . A service available over Internet Standard protocols: HTTP, SMTP, FTP Is based on XML messaging system SOAP (Simple Object Access Protocol), XML-RPC A WS should be self describing

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

WS-Security Protocol

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ws security protocol

WS-Security Protocol

Ramkumar Chandrasekharan

CS 265

web services ws
Web Services (WS)
  • A service available over Internet

Standard protocols: HTTP, SMTP, FTP

  • Is based on XML messaging system

SOAP (Simple Object Access Protocol), XML-RPC

  • A WS should be self describing

WSDL: Web Services Description Language

  • Discoverable

UDDI: Universal Description Definition Interface

consuming a web service
Consuming a Web Service

1) Client discovers the WS from UDDI registry to which WS has published itself

2) Client retrieves the WSDL file pointed by UDDI

3) Client Creates SOAP packets with the appropriate Web Service calls

4) Invokes Web Service method over HTTP, SMTP etc

5) Response is received from the WS as a SOAP packet as well

ws is not secure
WS is not secure
  • XML messages over the network. Anybody can easily sniff and read the text.
  • Secure with SSL at transport layer but does not guarantee end to end security. SSL also encrypts everything which could be resource expensive.
  • Many ways of securing at message layer for WS is possible, WS-Security is a standard way of securing WS.
ws security
  • WS-* Specs

Standardizing various pieces of Web Service for e.g.,

Security, Policy, Messaging etc.

  • Various Standards Orgs (OASIS, W3C etc.) and corporations (IBM, MS, Verisign etc.) are involved
ws security1
  • SOAP header carries security info
  • XML Encryption standard is used for encryption
  • XML Signature standard is used for Digital Signature
soap security header
SOAP Security Header





<wsse:Security soap:role=”….”>

All the security related mechanisms like security tokens, encryption and signatures goes here


ws security tokens
WS-Security Tokens
  • Authentication mechanisms:
  • UsernameToken

Plaintext, Hashed (Base64 Encoding (SHA-1 (Nonce + Created + Password))

  • Binarysecuritytoken based on Kerberos or X.509 certificates
xml encryption
XML Encryption
  • Provides End to end security
  • Selective Encryption
  • Very simple to do, lets say if there is an XML doc for e.g.,
xml encryption1
XML before encryption:

<?xml version=‘1.0’?>


<Name>John </Name>

<Number> 1234567</Number>




XML After encryption

<?xml version=‘1.0’?>


<Name>John </Name>









XML Encryption
xml signature
XML Signature
  • Standard Schema for digital signature

XML docs

  • Selective Signing of XML docs, that is portions of XML docs can be signed
  • Its not as simple as XML encryption
xml signature schema
XML Signature Schema
  • <Signature>


<CanonicalizationMethod />

<SignatureMethod />

<Reference URI=“ “> (0 or more)






<SignatureValue /> - Digest of SignedInfo

<KeyInfo/> (Optional)


ws security demo

WS-Security Demo

Using WSE 2.0

  • Web service is going to create revolution in distributed computing and with standards like WS-Security helps achieve security into Web Services.
  • With Web Services the vision of Vint Clif “father of the Internet’ could be achieved. He said “it wont be long before your bathroom scale surreptitiously transmits your weight to your doctor, who might command a stop to the rocky road ice cream your fridge automatically orders for you from”.