Everyone speaks of a networked world. The HTML based World Wide Web is as popular as ever. Computers however, aren?t able to understand HTML content. Web-Services fill this gap and make it possible to connect applications. SOAP is the primary exchange format used.

Because Web-Services are particularly used in the commercial world for the integration of different systems and services, security is an important aspect. For this purpose IBM, Microsoft, and VeriSign developed in the year 2002 an extension to the Web-Service protocol named Web-Service-Security (WSS). WSS-2002 had however some faults and did not become generally accepted. In the meantime, the independent organization OASIS released an updated version in April 2004. The standard still grows on features, but already supports a wide collection of possible security credentials (password, X.509 certificates).

This paper is principally concerned with authentication and forwarding of security-relevant information of individual subjects (authenticity). In a first part the problem, Web-Services-Security and interoperability is theoretically discussed. The implementation in a concrete surrounding at the partner company Winterthur Insurance, is examined in a second section. On the basis of their needs, a possible architecture model, a so called Blueprint, is provided. This was divided into individual parts, which are more specified. In order to prove that the concept works with todays available products, these were finally implemented as prototypes. The solutions point out that a safe Web-Service communication between a Java based environment and .NET is in principle not an insuperable obstacle.

No doubt, Web-Services extended with WSS and supported by major software companies (Microsoft, Sun, IBM, SAP, etc.) have a large potential. Sooner or later probably no large enterprise will come around this technology. Most systems that Winterthur Insurance runs seem to be able to integrate WSS with little effort.