Wednesday, December 6, 2017

WS-Security vs SSL/TLS Security with reference to WebServices

SSL/TLS encrypts at transport level; WS-Security encrypts at message level. SSL/TLS provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). ... WS-Security maintains the encryption until the moment when the request is processed. SSL/TLS secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much faster than WS-Security.

Please note that REST-based WebServices inherits security measures from the underlying transport level security.

Limitation with SSL/TLS

1.      SSL/TLS is at point-to-point whereas WS-Security is at end-to-end, where multiple intermediary nodes (WebServers, Load balancer, proxy server etc) could exist between the two endpoints.
2.      SSL/TLS does not provide Know-Your-Customer (KYC) whereas WS-Security provides this feature.
3.      SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.

We can configure transport level security and message level security without configuring SSL/TLS at server level  then you need to configure SSL/TLS WSM policy at WebService level for example oracle/wss_http_token_over_ssl_service_policy.

1 comment: