WS-SECURITY
Web Services Security. The OASIS standard that secures the SOAP message — signature, encryption, token — at the application layer, independent of TLS.
Definition
WS-Security (officially Web Services Security: SOAP
Message Security) is an OASIS Standard. Version 1.1 (2006) is the
deployed version today, after 1.0 (2004). Its function: introduce in the
SOAP header a <wsse:Security> sub-element that carries:
- One or more SecurityTokenReference, pointing to or embedding an X.509 certificate, a Username Token, a SAML Assertion, a Kerberos Token.
- One or more XML Signature signatures (XML-DSig, W3C) covering specific elements of the SOAP (Body, ebMS headers, timestamp).
- One or more XML Encryption blocks (XML-Enc, W3C) on specific elements.
- A Timestamp that bounds the message's temporal validity (Created / Expires).
WS-Security belongs to the broader WS-* family (WS-Trust for token issuance, WS-SecureConversation for encrypted sessions, WS-Policy for expressing security requirements, WS-PolicyAttachment for attaching them to a WSDL).
Origin
WS-Security was initially published by IBM, Microsoft and VeriSign in April 2002. The spec was transferred to OASIS, which formed the WSS Technical Committee. Version 1.0 published in 2004, version 1.1 in 2006. Massive adoption in the SOA of the 2000-2010s, then in B2B EDI via ebMS3 (2007) and AS4 (2013). In 2026, WS-Security is still used primarily by AS4 / PEPPOL and by some banking and e-government web services.
Example in context
Simplified AS4 SOAP header: