nerdexam
(ISC)2

CISSP · Question #1536

Hotspot Question Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification i

The correct answer is Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access?: WS-Trust. The correct answer is WS-Authorization, as it defines how authorization policies are expressed and enforced, using security tokens to grant or deny access.

Submitted by mateo_ar· Mar 5, 2026Identity and Access Management (IAM)

Question

Hotspot Question Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification in the image below. Answer: Exam Questions, Study Guides, Practice Tests. Lead the way to help you pass any IT Certification exams, 100% Pass Guaranteed or Full Refund. Especially Cisco, Microsoft, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on. Our Slogan: First Test, First Pass. Help you to pass any IT Certification exams at the first try. You can reach us at any of the email addresses listed below. Any problems about IT certification or our products, you could rely upon us, we will give you satisfactory answers in 24 hours.

Exhibit

CISSP question #1536 exhibit

Answer Area

  • Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access?WS-Trust
    WS-Secure ConversationWS-FederationWS- AuthorizationWS-PolicyWS-TrustWS-Privacy

Explanation

The correct answer is WS-Authorization, as it defines how authorization policies are expressed and enforced, using security tokens to grant or deny access.

Approach. The question asks for the WS-Security specification that handles 'the management of security tokens AND the underlying policies for granting access.'

  1. WS-Authorization's primary role: This specification defines how to express and enforce authorization policies for Web services. It specifies how access decisions are made based on the identity and claims presented, often within a security token. This directly aligns with 'the underlying policies for granting access.'
  2. Addressing 'management of security tokens': While WS-Trust is explicitly responsible for the issuance, renewal, and validation lifecycle of security tokens, WS-Authorization is critically involved in consuming and interpreting the information (claims) within these security tokens to make authorization decisions. In this context, it 'manages' how the token's assertions are applied against access policies to control resource access. Therefore, it manages the application of security tokens for granting access.

Considering both parts of the question, WS-Authorization is the most comprehensive fit because its core function revolves around establishing and evaluating policies for access, leveraging information provided by security tokens to do so.

Common mistakes.

  • common_mistake. Common mistakes include selecting:
  • WS-Trust: While WS-Trust is indeed responsible for the 'management of security tokens' in terms of their issuance, renewal, and validation (often via a Security Token Service), its primary focus is not on the 'underlying policies for granting access.' It provides the tokens, but WS-Authorization defines how those tokens are then used to grant or deny access based on policy.
  • WS-Policy: WS-Policy provides a general framework for expressing the capabilities and requirements of a Web service, including security policies. However, it is a generic policy framework and not the specific standard dedicated to defining authorization rules or the application of security tokens for access decisions, which is WS-Authorization's domain.
  • WS-Federation: This specification deals with brokering trust between different security realms and federated identity, rather than the specific management of security tokens or authorization policies within a single service's access control layer.
  • WS-Secure Conversation: Focuses on establishing secure communication sessions, not directly on token management or authorization policies.
  • WS-Privacy: Deals with privacy policies and preferences, unrelated to security token management or access authorization.

Concept tested. Understanding the distinct roles and interdependencies of various Web Services Security (WS-Security) specifications, particularly those related to identity, trust, and authorization in service-oriented architectures.

Topics

#WS-Security#Security tokens#Access policies#WS-Trust

Community Discussion

No community discussion yet for this question.

Full CISSP Practice