Securing Web services applications using JAX-RPC at the message level

Standards and profiles address how to provide protection for messages that are exchanged in a Web service environment.

Before you begin

The Organization for the Advancement of Structured Information Standards (OASIS) Web services security (WS-Security) Version 1.0 specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. Web services security for WebSphere Application Server for Versions 6 and later is based on standards that are included in the OASIS Web Services Security Version 1.0 specification, the Username Token Version 1.0 Profile, the X.509 Token Version 1.0 Profile, and a SOAP with Attachments (SWA) Version 1.0 Profile.

About this task

To secure Web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to interoperate between formerly incompatible security technologies in heterogeneous environments. The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.

The Web Services Security: SOAP Message Security 1.0 specification outlines a standard set of SOAP 1.1 extensions that you can use to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the Web service security Version 1.0 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.

It is important to note that while Web services security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, Web services security cannot be used to protect SOAP fault messages.

Web service security is supported in the managed Web service container. To establish a managed environment and to enforce constraints for Web services security, you must perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference.

Compatibility between WebSphere Application Server Version 6.1 and Version 5.x

In WebSphere Application Server Version 6.1, you can run a Version 5.x Web services-secured application on a Version 6.1 application server. However, when you use a Web services-secured application, the client and the server must use the same version of the application server. For example, a Web services-secured application does not work properly when the client uses WebSphere Application Server Version 6.1 and the server uses Version 5.x. Conversely, a Web services-secured application does not work properly when the client uses WebSphere Application Server Version 5.x and the server uses Version 6.1. This issue occurs because the SOAP message format is different between a Version 5.x application and a Version 6 or later application.

To secure Web services with WebSphere Application Server, you must specify several different configurations. Although there is not a specific sequence in which you must specify these different configurations, some configurations reference other configurations. See Configuration considerations for Web services security.

Because of the relationship between the different Web services security configurations, it is recommended that you specify the configurations on each level of the configuration in the following order. You can choose to configure Web services security for the application level, the server level or the cell level as it depends upon your environment and security needs.

Procedure

Results

After completing these steps for WebSphere Application Server, you have secured Web services.



In this information ...


Related concepts
Related tasks

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=twbs_securev6wss
File name: twbs_securev6wss.html