ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

WS-SECURITY

Web Services Security. The OASIS standard that secures the SOAP message — signature, encryption, token — at the application layer, independent of TLS.

Definition

WS-Security (officially Web Services Security: SOAP Message Security) is an OASIS Standard. Version 1.1 (2006) is the deployed version today, after 1.0 (2004). Its function: introduce in the SOAP header a <wsse:Security> sub-element that carries:

  • One or more SecurityTokenReference, pointing to or embedding an X.509 certificate, a Username Token, a SAML Assertion, a Kerberos Token.
  • One or more XML Signature signatures (XML-DSig, W3C) covering specific elements of the SOAP (Body, ebMS headers, timestamp).
  • One or more XML Encryption blocks (XML-Enc, W3C) on specific elements.
  • A Timestamp that bounds the message's temporal validity (Created / Expires).

WS-Security belongs to the broader WS-* family (WS-Trust for token issuance, WS-SecureConversation for encrypted sessions, WS-Policy for expressing security requirements, WS-PolicyAttachment for attaching them to a WSDL).

Origin

WS-Security was initially published by IBM, Microsoft and VeriSign in April 2002. The spec was transferred to OASIS, which formed the WSS Technical Committee. Version 1.0 published in 2004, version 1.1 in 2006. Massive adoption in the SOA of the 2000-2010s, then in B2B EDI via ebMS3 (2007) and AS4 (2013). In 2026, WS-Security is still used primarily by AS4 / PEPPOL and by some banking and e-government web services.

Example in context

Simplified AS4 SOAP header:

  • AS4 — the primary consumer in 2026.
  • ebMS3 — the standard parent of AS4.
  • OASIS — the editor.
  • XAdES — advanced signature extension.

Last updated: May 14, 2026