I want to share with you one article in the October issue of Application Development Trends magazine, by David Chappell on web services security. It may not be the best article introducing the ws security subject, but it certainly did a good job to me explaining the natures of the problems people are trying to solve today.
It starts with “I cant help admiring the ambition of people working on Web services security. The problem they face — creating multivendor agreements on authentication, authorization and more for SOAP — is tremendously difficult. Not only that, but in a very real sense, no one has ever solved this problem before. Complete multi-vendor security for distributed applications? Please — its been a pipe dream.” (BTW, as one of the “standards” guys, I certainly appreciate the author’s appreciation for the work my colleagues are diligently tackling), it then goes on bringing into the picture related specifications, including ws-security, XML signature, XML encryption, and so on.
One caveat I would like to put here – I am not sure if David is correct indicating a “WS-SecurityPolicy” spec and a “soon-to-be-published protocol”. It might just be my ignorance, but I am not aware such specs in the standards horizon I monitor. The feature covered by the “soon-to-be-published protocol” is being covered by WSDL2.0 and WS-policy. It also might be when the article was written (usually it takes a few months to publish an article) things were not as clear as today and David was using his best knowledge at that time.