WS-Security support is certainly a big milestone in Web services. We no longer need to rely on security of the underlying transport (e.g. HTTP with basic authentication).
However, just supporting encryption and signature of the whole XML documents is not enough: It will be important for vendors to allow you to sign and encrypt just portions of overall documents. We also need to have interoperability of authentication and authorization information. Although WS-Security does provide a standard location to place such authentication tokens and associated authorizations, it does not standardize the format of them. SAML is one possibility for this that is seeing some adoption. Other formats may also appear. Having some mechanism to convey identity and rights would be very useful, allowing Web services to efficiently integrate many different applications.
Another important security issue, especially relevant to enterprise scenarios, is a way to represent Access Control Lists (ACLs) on Web services when they are published in an enterprise-focused Web services registry. A registry of all of your information on Web services should be able to reflect which users can query or access different services.
Dig Deeper on Securing services
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.