If I define a web service interface that uses WS Security, and many people using many different platforms implement that interface, can I expect seamless interoperability? Is WS-Security mature enough for that to happen? Is it widely and robustly implemented in modern programming languages? Specifically I am considering using the user name and digest password authentication. Are there any particular pitfalls to avoid that cause known compatibility issues?
Thanks,
Mike
Based on my research here and elsewhere, there is reasonably good support among Java, .NET (excluding Mono), and C/C++ via Apache Axis. The waters seem to grow murkier when you look at some of the "P" languages (Perl, Python, PHP) and Ruby, though. I found some libraries in various stages of maturity and some articles that explain how to rig something up using a few different tools, but nothing that gives me great confidence.
Several articles--rightly, I think--question the usefulness of WS-Security if you're simply trying to secure a point-to-point communication, particularly since SSL/TLS already gives you encryption, end-point authentication, and message integrity guarantees, and support for it is near-ubiquitous across languages.