« Underr├Ąttelser | Main | Justice League blog »



good stuff...let me know if you need any help. I have extensive experience in XML and application security

Bob McCormick

If your WS-Security envelope is terminated on an XML appliance, and not in the application server, then
doesn't this create a security perimeter much like the firewalls and SSL gateways that you've previously critiqued on this blog?


Bob - no it does not require that. For a number of reasons

1) WS-Security supports multiple token types and namespaces in one message, so your security model is not an all or nothing proposition. I can define one token for the postman and one for the recipient, for example

2) A XSG need not be a standalone hardware device, they can be software based running on the same box as your app if you like. Obviously there are tradeoffs here

3) Frequently XSGs proxy communications. Read in security header/token, perform security checks, apply new or additional secuirty tokens/header, and forward request

Firewalls and SSL do nothing to address the basic security needs a web service has - end to end authentication, authorization, auditing, input validation, and so on.

The comments to this entry are closed.