Reputation: 23522
TLS vs HTTP Digest vs WS-Security
For implementing SOAP web services, what are benefits and drawbacks of each of these security solutions
- TLS (Certificates)
- HTTP Digest Authentication
- WS-Security (SOAP digest authentication)
Would TLS certificates alone provide enough security for latter being more or less redundant, or should I also use HTTP digest or/and WS-Security? Especially, what benefits WS-Security gives over TLS/HTTP -level authentication and security?
Upvotes: 1
Views: 1360
Answers (1)
Reputation: 123551
These are different technologies for different tasks:
- TLS:
Secures the transport of the messages between client and server. Provides no authentication of client (unless client certificates are used). - HTTP Digest authentication:
Provides client authentication for the transport. Does not provide transport security. - WS-Security: (from my understanding of the Wikipedia article):
Integrates protection against sniffing and modification into the message itself, independent of the transport. Provides also client authentication by making the client sign the message.
If you are familiar with mail transport then WS-Security is similar to using PGP or S/MIME to encrypt the mails end-to-end and also sign the mails to prove who the sender is. TLS instead only secures the transport between the mail client and mail server or between mail servers, i.e. data in transit but not at rest. And authentication in mail transport only authenticates a specific hop and not end-to-end.
Upvotes: 3
Related Questions
- SOAP vs. REST and WSDL
- SOAP headers versus HTTP headers
- Soap header or http header
- Webservices - SOAP vs. "XML over HTTP"
- ws-security and transport security
- difference between SOAP and WSDL
- C# SOAP vs RESTful service
- Difference between WS Security Mechanisms
- SOAP 1.2 over SSL + HTTP basic authentication or WS-Security?
- Standard web services v Secure web services