Web services security overview

The OASIS web services security (WSS) Version 1.0 specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. WSS is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. New in the Feature Pack for Web Services, JAX-WS web services can be easily secured using policy sets.

Important: Applicable to WebSphere® Application Server traditional

To secure web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to interoperate between formerly incompatible security technologies, such as public key infrastructure and Kerberos, in heterogeneous environments such as Microsoft .NET and Java™ (Java EE). The complete web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap .

The Web Services Security: SOAP Message Security 1.0 specification outlines a standard set of SOAP extensions that you can use to build secure web services. These standards confirm integrity and confidentiality, which are provided with digital signature and encryption technologies. In addition, web services security provides a general-purpose mechanism for associating security tokens with messages. A typical example of the security token is a Username token, in which a user name and password are included as text. web services security defines how to encode binary security tokens using methods such as X.509 certificates and Kerberos tickets. However, the required security tokens are not defined in the web service security Version 1.0 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, the SAML profile, the Kerberos profile, and the XrML profile.

Enabling JAX-WS web services security using policy sets

In the V6.1 Feature Pack for Web Services and V7, WebSphere Application Server uses the policy set model for implementing the WSS Version 1.1 specification, the Username token Version 1.1 profile, and the X.509 token Version 1.1 profile. Policy sets combine configuration settings, including settings for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, WS-SecureConversation, and WS-Security.

To enable policy sets for your web services, refer to Managing policy sets for JAX-WS web services and clients.

Additionally, the following information demonstrates policy sets.

The following book contains a chapter on policy sets in the WebSphere Application Server V6.1 Feature Pack for Web Services:IBM® Redbooks®: Web Services Feature Pack for WebSphere Application Server V6.1

More information on securing web services

In addition to the information provided in this documentation, several useful tutorials and articles that demonstrate how to secure web services using WebSphere Application Server are available on developerWorks®.

Icon that indicates the type of topic Concept topic
Timestamp icon Last updated: July 17, 2017 21:58

File name: csecurews.html