Turnkey Security Assertions

Given that most applications are secured based on the network topology in which the Web service resides, WSE 3.0 introduces a scenario-based methodology to secure communication to and from a Web service. That is, instead of piecing security together for an application using multiple low-level security operations, WSE allows you to apply security at a higher level using a prepackaged set of security operations, which are known as security assertions. For common scenarios, WSE provides a set of these security assertions that are called turnkey security assertions.

Turnkey security assertions allow a developer to express one or more of the following:

  • Message-level security or transport-level security
  • The security credentials that are used to authenticate the client, the Web service, or both
  • The security credentials that are used to protect SOAP messages

The following table describes the turnkey security assertions that are shipped with WSE and the application scenarios where you would typically use them.

Turnkey Security Assertion Description Applicable Scenario(s)

<anonymousForCertificateSecurity> Element

The client is not authenticated. The server is authenticated using its X.509 certificate (X509SecurityToken). Message-level security is implemented using the server's X.509 certificate.

Client and Web Service Application That Communicates over the Internet

<kerberosSecurity> Element

The client and server are authenticated using Kerberos tickets (KerberosToken). Message-level security is implemented using KerberosToken security tokens.

Client and Web Service Application That Communicates over the Intranet

<mutualCertificate10Security> Element

The client and server are authenticated using X.509 certificates (X509SecurityToken). Message-level security is implemented using X509SecurityToken security tokens. This turnkey security assertion requires WS-Security 1.0.

Gateway Application That Communicates over the Internet

<mutualCertificate11Security> Element

The client and server are authenticated using X.509 certificates (X509SecurityToken). Message-level security is implemented using X509SecurityToken security tokens. This turnkey security assertion requires WS-Security 1.1.

Gateway Application That Communicates over the Internet

<usernameOverTransportSecurity> Element

The client is authenticated using a username and password (UsernameToken). This assertion is intended to be used where the transport provides message protection (integrity and confidentiality), such as SSL. WSE does not verity that the transport is providing this protection.

Client and Web Service Application That Communicates over the Internet,

Gateway Application That Communicates over the Internet

<usernameForCertificateSecurity> Element

The client is authenticated using a username and password (UsernameToken). The server is authenticated using an X.509 certificate (X509SecurityToken). Message-level security is implemented using X509SecurityToken security tokens.

Client and Web Service Application That Communicates over the Internet,

Gateway Application That Communicates over the Internet

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

<anonymousForCertificateSecurity> Element
<kerberosSecurity> Element
<mutualCertificate10Security> Element
<mutualCertificate11Security> Element
<usernameOverTransportSecurity> Element
<usernameForCertificateSecurity> Element

Other Resources

Securing a Web Service