I am going to start a new project where I will expose a SOAP Web Service to our external partners. The main objective is to ensure the security of exchanged messages from end-to-end. Our main security requirements:
I have heard about a new protocol WS-Security, that can used to address this issues. My alternative solution is to incorporate some security elements into my SOAP Body like this :
<soapenv:Body>
<nms:Request>
<nms:requestor>bankX</nms:requestor>
<nms:nonce>45465464</nms:nonce>
<nms:created>12/12/2017</nms:created>
<nms:hmac256>hmacvalue</nms:hmac256>
<nms:id>someID</nms:id>
<nms:amount>5000</nms:amount>
<nms:currency>EUR</nms:currency>
</nms:Request>
</soapenv:Body>
What are the advantages of using WS-Security ? What are the disadvantages of using my own solution than WS-Security ?
I am using Java8 with full Spring Stack.
Thank you for helping.
WS-Security is an international standard, so it gives you interoperability between all web service clients/servers using WS-Security-compliant software stacks, as you can find in most major programming languages, e.g. Apache CXF or Glassfish Metro for Java; WCF for .Net. So for instance, a WCF-powered .Net client can communicate using SOAP+WS-Security with their Java counterparts. They have had interop testing as part of the OASIS standardization process.
You can also express your security requirements directly in your service's WSDL using WS-SecurityPolicy, so that your consumers can discover them automatically (to some extent) in order to communicate with your service securely.
Besides interoperability, getting a security standard right takes time, to allow the international community of security experts to review it, challenge it, improve it, etc. Therefore, it is safer to use the existing mature standard if you want the same level of features and robustness.