Web services typically operate by exchanging SOAP (Simple Object Access Protocol) messages with clients over HTTP. SOAP is an XML-based protocol/language.
WS-Security is a standard that specifies how certain security information (e.g. username and password) can be embedded inside a SOAP message and passed to a Web service over the Internet.
Taverna 2.x supports the portion of the WS-Security standard that refers to username and password authentication. Depending on a service’s settings, Taverna will add your plaintext or digest password as part of SOAP messages sent to that service. Plaintext means that your password is simply sent “as is” – it is not “scrambled” or encrypted before sending. If someone got hold of the SOAP message containing a plaintext password they would be able to see it. Digest means that your password is scrambled in some way before placing it in a SOAP message and this would make it harder for someone to “guess” your password if they got hold of the SOAP message carrying it.
Sending passwords like this inside SOAP messages over HTTP is not very secure (even if passwords are digests and not plaintext). For this reason, services typically also use HTTPS to protect the confidentiality of SOAP messages while in transit. This makes it (almost) impossible for eavesdroppers to see what is inside the SOAP messages.
In addition, some Web services may also require a WS-Security timestamp (a date and the time) to be added to SOAP messages for security purposes. Taverna 2.x is also capable of doing this for you. This helps services fight replay attacks, since they can ensure that messages are “fresh” and not “replayed” by checking the timestamp.