CISSP · Question #1536
Hotspot Question Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification i
The correct answer is Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access?: WS-Trust. The correct answer is WS-Authorization, as it defines how authorization policies are expressed and enforced, using security tokens to grant or deny access.
Question
Exhibit
Answer Area
- Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access?WS-TrustWS-Secure ConversationWS-FederationWS- AuthorizationWS-PolicyWS-TrustWS-Privacy
Explanation
The correct answer is WS-Authorization, as it defines how authorization policies are expressed and enforced, using security tokens to grant or deny access.
Approach. The question asks for the WS-Security specification that handles 'the management of security tokens AND the underlying policies for granting access.'
- WS-Authorization's primary role: This specification defines how to express and enforce authorization policies for Web services. It specifies how access decisions are made based on the identity and claims presented, often within a security token. This directly aligns with 'the underlying policies for granting access.'
- Addressing 'management of security tokens': While WS-Trust is explicitly responsible for the issuance, renewal, and validation lifecycle of security tokens, WS-Authorization is critically involved in consuming and interpreting the information (claims) within these security tokens to make authorization decisions. In this context, it 'manages' how the token's assertions are applied against access policies to control resource access. Therefore, it manages the application of security tokens for granting access.
Considering both parts of the question, WS-Authorization is the most comprehensive fit because its core function revolves around establishing and evaluating policies for access, leveraging information provided by security tokens to do so.
Common mistakes.
- common_mistake. Common mistakes include selecting:
- WS-Trust: While WS-Trust is indeed responsible for the 'management of security tokens' in terms of their issuance, renewal, and validation (often via a Security Token Service), its primary focus is not on the 'underlying policies for granting access.' It provides the tokens, but WS-Authorization defines how those tokens are then used to grant or deny access based on policy.
- WS-Policy: WS-Policy provides a general framework for expressing the capabilities and requirements of a Web service, including security policies. However, it is a generic policy framework and not the specific standard dedicated to defining authorization rules or the application of security tokens for access decisions, which is WS-Authorization's domain.
- WS-Federation: This specification deals with brokering trust between different security realms and federated identity, rather than the specific management of security tokens or authorization policies within a single service's access control layer.
- WS-Secure Conversation: Focuses on establishing secure communication sessions, not directly on token management or authorization policies.
- WS-Privacy: Deals with privacy policies and preferences, unrelated to security token management or access authorization.
Concept tested. Understanding the distinct roles and interdependencies of various Web Services Security (WS-Security) specifications, particularly those related to identity, trust, and authorization in service-oriented architectures.
Topics
Community Discussion
No community discussion yet for this question.
