The Web services security constraints are specified in
the IBM extension of the Web services deployments descriptors and
bindings. The Web services security run time enforces the security
constraints specified in the deployment descriptors.
WebSphere Application Server Version 6 and later use the Java 2
Platform, Enterprise Edition (J2EE) Version 1.4 Web services deployment
model to implement Web services security. One of the advantages of
deployment model is that you can define the Web services security
requirements outside of the application business logic. With the separation
of roles, the application developer can focus on the business logic
and the security expert can specify the security requirement.
The following figure shows the high-level architecture model that
is used to secure Web services in WebSphere Application Server Version
6.

The deployment descriptor and binding for Web services security
is based on Web service ports. Each Web service port can have its
own unique Web services security constraints defined. For example,
you might configure Web service port A to sign the SOAP body and the
Username token. You might configure Web service port B to encrypt
the SOAP body content and so on.
As shown in the previous figure, there are 2 sets of configurations
on both the client side and the server side:
- Request generator
- This client-side configuration defines the Web services security
requirements for the outgoing SOAP message request. These requirements
might involve generating a SOAP message request that uses a digital
signature, incorporates encryption, and attaches security tokens.
In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the
request generator was known as the request sender.
- Request consumer
- This server-side configuration defines the Web services security
requirements for the incoming SOAP message request. These requirements
might involve verifying that the required integrity parts are digitally
signed; verifying the digital signature; verifying that the required
confidential parts were encrypted by the request generator; decrypting
the required confidential parts; validating the security tokens, and
verifying that the security context is set up with the appropriate
identity. In WebSphere Application Server Versions 5.0.2, 5.1, and
5.1.1, the request consumer was known as the request receiver.
- Response generator
- This server-side configuration defines the Web services security
requirements for the outgoing SOAP message response. These requirements
might involve generating the SOAP message response with Web services
security; including digital signature; and encrypting and attaching
the security tokens, if necessary. In WebSphere Application Server
Versions 5.0.2, 5.1, and 5.1.1, the response generator was known as
the response sender.
- Response consumer
- This client-side configuration defines the Web services security
requirements for the incoming SOAP response. The requirements might
involve verifying that the integrity parts are signed and the signature
is verified; verifying that the required confidential parts are encrypted
and that the parts are decrypted; and validating the security tokens.
In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the
response consumer was known as the response receiver.
WebSphere
Application Server Versions 6 and later do not include security policy
negotiation or exchange between the client and server. This security
policy negotiation is defined by the WS-Policy, WS-PolicyAssertion,
and WS-SecurityPolicy specifications and are not supported in WebSphere
Application Server Version 6 and later.
Note: The Web services security requirements that are defined in the
request generator must match the request consumer. The requirements
that are defined in the response generator must match the response
consumer. Otherwise, the request or response is rejected because the
Web services security constraints cannot be met by the request consumer
and response consumer.
The format of the Web services security deployment descriptors
and bindings are IBM proprietary. However, the following tools are
available to edit the deployment descriptors and bindings:
- Rational Application Developer
- Use this tool to edit the Web services security deployment descriptor
and binding. You can use this tool to assemble both Web and Enterprise
JavaBeans (EJB) modules.
- Application Server Toolkit
- Use this tool to edit the Web services security deployment descriptor
and binding.
- WebSphere Application Server Administrative Console
- Use this tool to edit the Web services security binding of a deployed
application.