views:

145

answers:

1

If I define a web service interface that uses WS Security, and many people using many different platforms implement that interface, can I expect seamless interoperability? Is WS-Security mature enough for that to happen? Is it widely and robustly implemented in modern programming languages? Specifically I am considering using the user name and digest password authentication. Are there any particular pitfalls to avoid that cause known compatibility issues?

Thanks,

Mike

+1  A: 

Based on my research here and elsewhere, there is reasonably good support among Java, .NET (excluding Mono), and C/C++ via Apache Axis. The waters seem to grow murkier when you look at some of the "P" languages (Perl, Python, PHP) and Ruby, though. I found some libraries in various stages of maturity and some articles that explain how to rig something up using a few different tools, but nothing that gives me great confidence.

Several articles--rightly, I think--question the usefulness of WS-Security if you're simply trying to secure a point-to-point communication, particularly since SSL/TLS already gives you encryption, end-point authentication, and message integrity guarantees, and support for it is near-ubiquitous across languages.

Rob H