Hello guys!

My first post here! I wanted to get some community help on security of web services.

I'm doing a state of the art on web services security. I need every bit of a solution out there that solves concerns about identification, access control, transmission related ones like data integrity, protection, non repudiation..

So I fetched some real world solution to fill those needs, I found those for SOAP based web services:

  • Identification: WS-Security Framework
  • Authentication: Extensible Access Control Markup Language (XACML)
  • Authorization

    • Extensible Rights Markup Language (XrML)
    • XML Key Management (XKMS)
    • Security Assertion Markup Language (SAML)
    • .NET Passport

  • Confidentialité
    • WS-Security Framework
    • XML-Encryption
    • Secure Sockets Layer (SSL)
    • WSS


And almost all of them are implementable using spring-security

On the other hand RESTful web services having the reputation to be less secure. Being based on the web SSL/TLS is a great solution for encryption, but other security protocols do exist like:
  • OAuth: used by facebook, twitter, without tokens exchange
  • OpenID: used by google
  • CAS
  • LDAP, Kerberos
  • Persona, BrowerID



Another solution may be to integrate the security in the enterprise bus as a service (Security as a Service)..

So my question is : Are there any other solutions i should know about? is there any other frameworks?

Thanks a lot