Web services represent a powerful model that allows for remote data exchange using Internet standard protocols in a platform- and language-neutral way. This message-based approach, transmitted via HTTP, enables complex interactions that can include the routing of messages through several nodes.

But this presents a security problem. Many traditional, connection-oriented, point-to-point security tools on which we've come to depend, aren't as useful as they once were. Web services need an end-to-end security solution that can be used regardless of the nodes a message crosses.

WS-Security is a proposed standard format for carrying security-related information in a Simple Object Access Protocol (SOAP) message - a joint effort of IBM, Microsoftand
Verisign. WS-Security builds on the World Wide Web Consortium (W3C) encryption and digital signature specifications by tailoring them to SOAP.

Before WS-Security, the W3C developed standards for XML Signature and XML Encryption. With digital signature and encryption, XML messages are kept confidential and protected against unauthorized modification. With digital signatures, the source of a message can be authenticated. These cryptographic capabilities provide many of the necessary security features. But, more is needed for Web services.

WS-Security defines XML structures for security tokens that clients can use to claim an identity or some privilege. WS-Security tokens include username, binary and security token reference.

A claim can be endorsed or unendorsed. An endorsed claim comes with evidence that a trusted third party vouches for the claim. An X.509 certificate is a token with an endorsed claim. In this case, a certificate authority vouches for the identity of the owner of the public/private key pair.

On the other hand, a username, with or without an accompanying password, is an unendorsed claim and requires that provisions be made to trust the username. One possible provision is to include a password so that the receiver can check the transmitted password against a local database. This is called a proof-of-possession claim, because the user shows that he has username's password.

An example of the use of WS-Security is a message that is an invoice for a book that Jane Doe is purchasing from BestSellers.com. BestSellers will send the invoice to Shipper.com, which is responsible for getting the book to Jane. A header targeted at Shipper instructs it to send the book via next-day shipping.