I know you all get annoyed with high level articles, but I felt it was important to get one out there that simply went after the high level benefits of WS-Security and why you would want to use Web Services Enhancements (WSE).   I compiled a slew of internal and external discussions and worked with Benjamin Mitchell to get this article written.  Tell me what you think.  What benefits have you gained?  Are they in line with what is compiled in this article?

In my mind, the two most powerful new concepts that did not exist in previous distributed computing infrastructures in the Web Services Architecture is Policy and Message Level Security.  I describe policy simply i.e. the ability to describe how you communicate with a services beyond what data to send e.g. your security requirements.  As far as Message Level Security is concerned, I love:

  • the service oriented audit trail - the idea that intermediaries can put information in the message header stating what they have done with the message and then sign that additional information for auditing purposes
  • the flexibility of choosing what types of tokens you use to sign, encrypt, authenticate, and authorize with
  • the flexibility of choosing what parts of the message to sign and encrypt with what tokens

What strikes you about Message Level Security and policy?