High-level architecture for Web services security

The Web services security constraints are specified in the IBM extension of the Web services deployments descriptors and bindings. The Web services security run time enforces the security constraints specified in the deployment descriptors.

WebSphere Application Server Version 6 and later use the Java 2 Platform, Enterprise Edition (J2EE) Version 1.4 Web services deployment model to implement Web services security. One of the advantages of deployment model is that you can define the Web services security requirements outside of the application business logic. With the separation of roles, the application developer can focus on the business logic and the security expert can specify the security requirement.

The following figure shows the high-level architecture model that is used to secure Web services in WebSphere Application Server Version 6.

High-level architecture model

The deployment descriptor and binding for Web services security is based on Web service ports. Each Web service port can have its own unique Web services security constraints defined. For example, you might configure Web service port A to sign the SOAP body and the Username token. You might configure Web service port B to encrypt the SOAP body content and so on.

As shown in the previous figure, there are 2 sets of configurations on both the client side and the server side:
Request generator
This client-side configuration defines the Web services security requirements for the outgoing SOAP message request. These requirements might involve generating a SOAP message request that uses a digital signature, incorporates encryption, and attaches security tokens. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the request generator was known as the request sender.
Request consumer
This server-side configuration defines the Web services security requirements for the incoming SOAP message request. These requirements might involve verifying that the required integrity parts are digitally signed; verifying the digital signature; verifying that the required confidential parts were encrypted by the request generator; decrypting the required confidential parts; validating the security tokens, and verifying that the security context is set up with the appropriate identity. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the request consumer was known as the request receiver.
Response generator
This server-side configuration defines the Web services security requirements for the outgoing SOAP message response. These requirements might involve generating the SOAP message response with Web services security; including digital signature; and encrypting and attaching the security tokens, if necessary. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the response generator was known as the response sender.
Response consumer
This client-side configuration defines the Web services security requirements for the incoming SOAP response. The requirements might involve verifying that the integrity parts are signed and the signature is verified; verifying that the required confidential parts are encrypted and that the parts are decrypted; and validating the security tokens. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the response consumer was known as the response receiver.

WebSphere Application Server Versions 6 and later do not include security policy negotiation or exchange between the client and server. This security policy negotiation is defined by the WS-Policy, WS-PolicyAssertion, and WS-SecurityPolicy specifications and are not supported in WebSphere Application Server Version 6 and later.

Note: The Web services security requirements that are defined in the request generator must match the request consumer. The requirements that are defined in the response generator must match the response consumer. Otherwise, the request or response is rejected because the Web services security constraints cannot be met by the request consumer and response consumer.
The format of the Web services security deployment descriptors and bindings are IBM proprietary. However, the following tools are available to edit the deployment descriptors and bindings:
Rational Application Developer
Use this tool to edit the Web services security deployment descriptor and binding. You can use this tool to assemble both Web and Enterprise JavaBeans (EJB) modules.
Application Server Toolkit
Use this tool to edit the Web services security deployment descriptor and binding.
WebSphere Application Server Administrative Console
Use this tool to edit the Web services security binding of a deployed application.



Subtopics
Security authorization models
Security model mixture
Overview of platform configuration and default bindings
Default configuration
Default implementations of the Web services security service provider programming interfaces
Related tasks
Securing Web services applications using JAX-RPC at the message level
Related reference
Request generator (sender) binding configuration settings
Request consumer (receiver) binding configuration settings
Response generator (sender) binding configuration settings
Response consumer (receiver) binding configuration settings
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 8:21:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-express-iseries&topic=cwbs_highlvlarchwss
File name: cwbs_highlvlarchwss.html