MessageLevelSecurity

Last edit October 19, 2005

MessageLevelSecurity (MLS) is now included in WebServicesSecurity specs for SoapProtocol.

See WebServicesInteroperabilityOrganization document at http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf to see various options for SimpleObjectAccessProtocol messages.

Significance of MessageLevelSecurity for SOAP WebServices

MS Rebecca Dias blog in Mar05 and said MLS is one of two most important new developments in WebServices architecture (the other being WS-Policy). Key benefits include flexibility in choosing types of security tokens and which part of the message to apply them. And that (transport) intermediaries can insert signed audit trail information.

a reference in the blog linked to an Oct04 article on MS WebServicesSpecifications V2 which DonBox coauthored. It had this to say about messages:
- ...realizing that messages often have a life beyond a given transmission event. What does that mean? Does it mean messages often get responded to, and that there is a "return trip" for the message that the sender would want to do further processing, or that messages are often part of a larger SecureConversation? See article at http://msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnwebsrv/html/introwsa.asp

Is it true that with MessageLevelSecurity, than TransportLevelSecurity is no longer required? GridComputing people have dropped HTTPG in their implementations once MLS is available. And MS Feb05 "Why WSE" article at http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwse/html/whywse.asp seem to support TransportLevelSecurity no longer required when there is MessageLevelSecurity.

How does RestArchitecturalStyle WebServices handle security for messages? Do developers have to code a customized version of MessageLevelSecurity embedded in the WebApplication?

CategorySecurity