Overview of Web Service Security

PPM Web service security includes support for standards for authentication as well as the flexibility to implement HTTP basic authentication and HTTPS. Details for enabling message- and transport-level security, as well as details for integrating with single sign-on software, are discussed in the following sections.

Authentication

PPM Web services use the Web Services Security specification (WS-Security) to secure SOAP message exchanges. PPM Web services rely on a Rampart module integrated with Axis2 Web service engine to provide WS-Security support.

Note: More information about the WS-Security specification can be found at: www.oasis-open.org/specs/index.php#wssv1.1.

The WS-Security specification defines a set of standard SOAP headers to provide quality of protection through message integrity (XML signature), message confidentiality (XML encryption), and single message authentication (UsernameToken authentication, Kerberos authentication, X509 certificate authentication, and so forth). These mechanisms can be used to accommodate a wide variety of security models. The WS-Security specification is considered a message level authentication protocol because all the security information is carried within the SOAP message.

By default, PPM supports WS-Security username token authentication, timestamp validation, and encryption of WS-Security headers.

In addition to WS-Security, PPM also supports HTTP basic authentication (HTTP transport level authentication protocol), as well as HTTPS (secure) authentication.

PPM Web services can also be integrated with third-party single sign-on software such as SiteMinder.

Authorization

PPM Web services follow the same authorization model as Web applications. Refer to the Security Model Guide and Reference for details on specific functional areas. This document focuses only on authentication.