Securing Web services for v5.x applications based on WS-Security
Before you beginImportant distinction between V5.x and v6.x applications
Note: The information in this article supports v5.x applications only that are used with WAS v6.x. The information does not apply to v6.0.x applications.
Web services security for WAS is based on standards included in the Web services security (WS-Security) specification. These standards address how to provide protection for messages exchanged in a Web service environment. The specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
Use the deprecated "Securing Apache SOAP Web services" topics in the WebSphere Application Server, V5 documentation if you are still using Apache SOAP V2.3.
To secure Web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to interoperate between formerly incompatible security technologies (such as public key infrastructure, Kerberos and so on.) in heterogeneous environments (such as Microsoft .NET and Java 2 Platform, Enterprise Edition (J2EE)). The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.
Specification: Web Services Security (WS-Security) proposes a standard set of SOAP extensions that use to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a user name and password token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates and Kerberos tickets.
To establish a managed environment and to enforce constraints for Web services security, perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference. For more information on the recommended client programming model, see "Service lookup" in the Java Specification Request (JSR) 109 specification available at: ftp://www-126.ibm.com/pub/jsr109/spec/1.0/websvcs-1_0-fr.pdf.
An administrator can use any of the following methods to integrate message-level security into a WAS environment:
Steps for this task (dependent on configuration)
- Securing Web services for v5.x applications using XML digital signature
- Securing Web services for v5.x applications using XML encryption
- Securing Web services for v5.x applications using basicauth authentication
- Securing Web services for v5.x applications using identity assertion authentication
- Securing Web services for v5.x applications using signature authentication
- Securing Web services for v5.x applications using a pluggable token
Web services security specification-a chronology
Web services security support
Web services security and Java 2 Platform, Enterprise Edition security relationship
Web services security model in WebSphere Application Server
Web services: Default bindings for the Web services security collection
Usage scenario for propagating security tokens
Authentication method overview
XML digital signature
Securing Web services for v5.x applications using XML digital signature
Securing Web services for v5.x applications using XML encryption
Securing Web services for v5.x applications using basicauth authentication
Securing Web services for v5.x applications using identity assertion authentication
Securing Web services for v5.x applications using signature authentication
Token type overview
Securing Web services for v5.x applications using a pluggable token
Tuning Web services security for v5.x applications
Web services: Resources for learning
Security in a Web Services World: A Proposed Architecture and Roadmap
Specification: Web Services Security (WS-Security)
Web Services for J2EE, V1.0
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.