Web Services Security (WSS) for WSDL Services
Web Services Security (WSS) encompasses a set of extensible standards to allow SOAP web services to define security constraints and requirements so that client applications can determine and understand them programmatically. It includes many of the WS-* standards, co-authored by several well known software vendors, plus standards from W3C and OASIS.
To define its WSS security requirements for MashZone NextGen, a web service must provide this information:
Policy assertions: that define a specific security constraint, such as authentication and identification requirements, message integrity or confidentiality requirements, wire protocols, message exchange patterns, digital signatures, cryptographic requirements and so on.
Policy attachments: that define which policies are used to secure specific components in the web service. Policies can be attached to the service as a whole, to endpoints, operations, messages or elements within a message.
Web service clients must include SOAP headers in requests to provide the required encryption, tokens, certificates, digests or other artifacts needed to comply with the policies for the web service. MashZone NextGen can automatically generate the WSS SOAP headers needed for WSDL web services that explicitly define security policies.
To support the very broad set of features and the extensible nature of WSS,
MashZone NextGen uses an extensible architecture with built-in support for some simple, common security policies. See
Built-in WSS Support for Policies and Policy Attachments,
Built-in WSS Support for Policy Assertions and Tokens and
Built-in WSS Support for Certificates and Encryption for specific information on the WSS features that
MashZone NextGen supports 'out of the box.'
MashZone NextGen can also be extended to support additional policy profiles or security standards. Please contact your Software AG representative for more information on WSS extensions.
MashZone NextGen also supports authentication for WSDL web services that do not use WSS policies using HTTP basic authentication, Windows NT Domains or SSL with digital certificates. See
WSDL Web Services for links to more information.