Securing Web Services (REST & SOAP)

Hello guys!

My first post here! I wanted to get some community help on security of web services.

I’m doing a state of the art on web services security. I need every bit of a solution out there that solves concerns about identification, access control, transmission related ones like data integrity, protection, non repudiation…

So I fetched some real world solution to fill those needs, I found those for SOAP based web services:

  • Identification: WS-Security Framework
  • Authentication: Extensible Access Control Markup Language (XACML)
  • Authorization

  • Extensible Rights Markup Language (XrML)
  • XML Key Management (XKMS)
  • Security Assertion Markup Language (SAML)
  • .NET Passport
  • Confidentialité
  • WS-Security Framework
  • XML-Encryption
  • Secure Sockets Layer (SSL)
  • WSS


And almost all of them are implementable using spring-security

On the other hand RESTful web services having the reputation to be less secure. Being based on the web SSL/TLS is a great solution for encryption, but other security protocols do exist like:

  • OAuth: used by facebook, twitter, without tokens exchange
  • OpenID: used by google
  • CAS
  • LDAP, Kerberos
  • Persona, BrowerID

Another solution may be to integrate the security in the enterprise bus as a service (Security as a Service)…

So my question is : Are there any other solutions i should know about? is there any other frameworks?

Thanks a lot