MessageLevelSecurity (MLS) is now included in WebServicesSecurity specs for SoapProtocol.
See WebServicesInteroperabilityOrganization document at http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf to see various options for SimpleObjectAccessProtocol messages.
Significance of MessageLevelSecurity for SOAP WebServices
MS Rebecca Dias blog in Mar05 and said MLS is one of two most important new developments in WebServices architecture (the other being WS-Policy). Key benefits include flexibility in choosing types of security tokens and which part of the message to apply them. And that (transport) intermediaries can insert signed audit trail information.
Is it true that with MessageLevelSecurity, than TransportLevelSecurity? is no longer required? GridComputing people have dropped HTTPG in their implementations once MLS is available. And MS Feb05 "Why WSE" article at http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwse/html/whywse.asp seem to support TransportLevelSecurity? no longer required when there is MessageLevelSecurity.
How does RestArchitecturalStyle WebServices handle security for messages? Do developers have to code a customized version of MessageLevelSecurity embedded in the WebApplication?