Integration Server 10.3 | Web Services Developer’s Guide | Securing Web Services (WS-Security) | Transport-Based vs. Message-Based Security
 
Transport-Based vs. Message-Based Security
WS-Security support in Integration Server is a message-based implementation that is designed to provide end-to-end network coverage.
In a transport-based implementation such as HTTPS, credentials and authentication information secure the endpoints of a connection. However, if the information transmitted between the endpoints is not contained within a closed network, or the message traffic is routed through intermediate public nodes, messages can be exposed to threats such as eavesdropping, unauthorized access, message replay, and parameter manipulation.
In a message-based implementation, such as one built according to the WS-Security standard, the security information required to pass information between web services is contained within each message header. This design caters to the securing of the message transmission environment between endpoints. You can use authentication safeguards such as signing and encryption at the individual message level to provide greater data protection than just using similar authorization features in a transport-based security architecture.
Note that the two security architectures are not mutually exclusive. You can design a solution for your web services that uses a transport-based security architecture such as SSL to secure the connection endpoints, along with a message-based, WS-Security implementation.
Note:Integration Server support of WS-Security when using the WS-Security facility does not enable or enforce any of the transport-level security measures provided by SSL and HTTP authentication.