You are correct that in many cases WS-Security has no advantage over simple SSL. Your case may be one of them. Note that WS-Security can still be helpfull in your situation from the following reasons:
- Flexibily for future changes. For example you might decide to use a non-HTTP transport in the future from performance reasons. WS-Security will still be valid - SSL not.
- Better tooling for authentication. I find it harder in some cases to use HTTP Basic authentication over WS-Security username profile.
<URL SNIPPED>
Web Services Security, Performance And Testing Blog
Hello,
I would like to clarify one thing about SOAP security. My situation is like this:
there is a web service server and some web service clients that I need to bring up using SOAP. This web service will only be used with my own clients and, perhaps some other clients written by third parties. Howver, all clients will connect directly to the web service. And I need this system secured. There will be no intermediary (no other third party) web services between clients and my own web service. I believe that in this scenario, there is no need for WS-Security features. To my mind, all it takes is https and some method for authentication and authoriazation. Please explain to me why this is not right (if it is not right, of course).
Thank you,
kellogs
Marked Solved 
