WSO2 SOA Enablement Server currently supports SSL, HttpBasic, HttpDigest, WS-Security and Kerberos authentication mechanisms. Any of them may be used on its own to provide a certain security level. The SSL protocol may be combined with the WS-Security, HTTP Basic, or HTTP Digest authentication mechanisms:
WS-Security may be used as a standalone authentication mechanism. With its configuration options, it may be configured to add any level of SOAP message security.
WS-Security may be combined with the SSL protocol. While SSL provides data privacy, the default configuration of WS-Security provides mutual authentication. The security level is the same as for HttpBasic with SSL. However, WS-Security can be configured to provide much more that just authentication.
HTTP Basic Authentication is the least secure of all. It sends the password in readable form over the network. This method is not recommended as a standalone authentication mechanism, but must be combined with some transport layer security.
HTTP Basic Authentication combined with the SSL protocol provides authentication, data privacy and consistency. A combination of HTTP Basic Authentication with server-side authentication and transport security (provided by SSL) is recommended.
HTTP Digest Authentication is more secure than HTTP Basic, because it does not send the user password over the network. This method may be used in standalone mode for SOAP messaging that does not contain sensitive information. Note that data is not encrypted.
HTTP Digest Authentication in combination with the SSL protocol provides both authentication and data privacy. The method should be compatible with other Web Application Servers, as long as it is implemented according to IETF RFC 2617. See the Interoperability chapter for more details about compatibility.
SSL with client authentication is very similar to SSL with HttpBasic or HttpDigest in its security goals. Unlike SSL with HttpBasic or HttpDigest SSL cannot distinguish between services running on the same machine. It allows a check of server identity, not the service identity as it is in HTTP authentication. This mechanism is recommended for interoperable Web services. SSL without client authentication is the most recommended secure transport.
The Kerberos authentication mechanism is as secure as SSL. It is also very flexible. A programmer may set its properties to confidential, message integration, mutual authentication, etc. Management of trusted certificate, secret key, etc. is widely supported (MS Windows, UNIX platform). This mechanism is recommended.
WS-Security security mechanism provides both authentication and data privacy on the message level. It is recommended to combine WS-Security with a transport level security mechanism to increase the security level. This mechanism is recommended.