The OASIS Web Services Security: SOAP Message Security v1.0 specification (more commonly known as WS-Security) defines a standard for attaching security information to a SOAP message. It supports XML encryption, XML signatures and various security tokens (Username, X.509, SAML, REL, Kerberos and custom tokens).
Most Web services platforms now provide integrated support for WS-Security, although you will need to upgrade to the latest release of your favorite platform to get it. .NET supports WS-Security via the Web Services Enhancements (WSE) framework. Apache Axis supports WS-Security via WSS4J.
Typically, a security header block is created and processed by a handler. The specific means by which you configure the handler will be dependent on the product in question. In most circumstances, though, the handler and the settings are defined using configuration files rather than code.
WS-I is developing a Basic Security Profile, which provides interoperability guidance. The profile is still in draft stage, though, and is subject to change.
Dig Deeper on Topics Archive
Related Q&A from Anne Thomas Manes
Anne Thomas Manes explains the differences between open source clients and open source implementations. Continue Reading
Anne Thomas Manes discusses the best way to go about creating an enterprise data dictionary and why the systems works well. Continue Reading
Anne Thomas Manes explains the difference between 'hard' real time and 'live' real time systems. Continue Reading