Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies

Legend Implemented Standard Implemented in additional product Security Layer Existing Standard

Security Standards for WS XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P

Popular Solutions Microsoft WCF Sun Metro (JAX-WS + JAXB + WSIT) Apache Axis2 (Rampart + Rahas + Sandesha2) Apache CXF (based on JAX-WS) More: IBM WebSphere WSO2 Web Service Framework BEA WebLogic

Microsoft WCF XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P

Sun Metro XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P

Apache Axis2 XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P

Apache CXF XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P

Common WS-* Stack WS-Addressing WS-Security: SAML, X.509 SAML includes XML Encryption and XML Signature WS-Trust (except Apache CXF) WS-Security Policy (except Apache) WS-Policy (except Apache Axis2) WS-Secure Conversation (except Apache CXF) WS-Reliable Messaging

GSI XML XML Signature (W3C) XML Encryption (W3C) SOAP WS-Addressing (W3C) WS-Security (OASIS) Resource Trust Secure Context Policy SAML Kerberos REL X.509 WS-SecureConversation (IBM) XACML (OASIS) RBAC (NIST) EPAL (IBM) WS-Policy (W3C) WS-Security Policy (OASIS) WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Reliability WS-Reliable Messaging (OASIS) WS-Reliability (OASIS) U/P