WS-SX Ratification Shows Web Services Security is Growing Up


Analyst(s): |

  Free preview of Gartner research


OASIS's ratification of two key standards means that Web services security has finally reached a level of maturity acceptable to many enterprises. This is a positive development for vendors and customers alike.

News Analysis


On 27 March 2007, the Organization for the Advancement of Structured Information Standards (OASIS) approved two key Web services security components as OASIS standards. The OASIS Web Services Secure Exchange (WS-SX) Technical Committee formally ratified:

  • WS-SecureConversation version 1.3, for establishing and maintaining extended secure sessions

  • WS-Trust version 1.3, for obtaining and exchanging security credentials


OASIS's ratification of these security standards — following extensive participation by major players in the Web services and service-oriented architecture (SOA) communities, including verified implementations by IBM, Microsoft and Sun Microsystems — moves Web services secure messaging from basic and limited implementation to a more extended and contextual model. However, the real value of these standards lies in the benefits they can provide for implementations of brokered authentication or security token services (STSs). Web services typically authenticate clients across heterogeneous environments — and removing the need for a direct relationship with the client application and Web service through a “trust negotiator” requires robust security. Enterprises interested in using brokered authentication simply did without Web services authentication or implemented it on various platforms as needed. Indeed, the bulk of Web services use today continues to be middleware within enterprises, in part due to these security limitations.

The availability of these new standards means that Web services security has finally reached an acceptable maturity level. The issuance and dissemination of credentials between different trust domains via an STS can now be achieved using a syntax that is familiar to most developers. The OASIS standards also provide for a scalability that had not been available before in transactional Web services that required an STS — at least not in a standardized form with which most vendors involved in SOA applications and infrastructure comply. This adds tools to a credible toolset for credible federation efforts, which has proved elusive to many enterprises, due to the issues of brokered authentication availability and scalability the standards address. WS-Trust alone is vital to enabling the credential use necessary for networked, consumable Web services.

Some early adopters of Web services continue to believe that existing security standards are bloated and overly complex, and have implemented leaner, proprietary approaches. For simple requirements, mixed Web security and "classic" authentication coupled with services will still have a place. Other early adopters believe that IBM's and Microsoft’s view of Web services and SOA security — and particularly their roles in the development of WS-SecureConversation and WS-Trust and the standards' place in their architectures — gives them an advantage in this area. However, the standards have enough diversity of support within the developer and infrastructure community that their ratification must be viewed as a positive development for vendor and enterprise customer alike.


Enterprises designing or developing SOA, software as a service (SAS) or Web services projects involving authentication that could use STSs:

  • Evaluate your development framework’s implementation of WS-SecureConversation and WS-Trust to determine their applicability.

Enterprises using third-party Web services:

  • Consult with your service providers to determine their plans regarding these standards and their use in their service offerings for STSs.

  • Take a leadership role within your Web services partnership network (consistent with your established security policy) to guide partners in reviewing and evaluating the applicability of WS-SecureConversation and WS-Trust standards adoption.

Recommended Reading

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

© 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online



Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more