+

Search Tips   |   Advanced Search

 

Securing Web services applications using JAX-RPC at the message level

 

Standards and profiles address how to provide protection for messages that are exchanged in a Web service environment.

The Organization for the Advancement of Structured Information Standards (OASIS) Web services security (WS-Security) V1.0 specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. Web services security for WAS for Versions 6 and later is based on standards that are included in the OASIS Web Services Security Version 1.0 specification, the Username Token V1.0 Profile, the X.509 Token V1.0 Profile, and a SOAP with Attachments (SWA) V1.0 Profile.

 

Overview

To secure Web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies in heterogeneous environments. The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.

The Web Services Security: SOAP Message Security 1.0 specification outlines a standard set of SOAP 1.1 extensions used to to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the Web service security V1.0 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.

Web service security is supported in the managed Web service container. To establish a managed environment and to enforce constraints for Web services security, perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference.

Compatibility between WAS V6.1 and V5.x

In WebSphere Application Server V6.1, you can run a V5.x Web services-secured application on a V6.1 appserver. However, when you use a Web services-secured application, the client and the server must use the same version of the appserver. For example, a Web services-secured application does not work properly when the client uses WAS V6.1 and the server uses V5.x. Conversely, a Web services-secured application does not work properly when the client uses WAS Version 5.x and the server uses V6.1. This issue occurs because the SOAP message format is different between a Version 5.x application and a V6 or later application.

To secure Web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. See Configuration considerations for Web services security.

Because of the relationship between the different Web services security configurations, it is recommended specified the configurations on each level of the configuration in the following order. You can choose to configure Web services security for the application level, the server level or the cell level as it depends upon your environment and security needs.

 

Procedure

 

Results

After completing these steps for WAS, you have secured Web services.


Configuration considerations for Web services security

High-level architecture for Web services security

What is new for securing Web services

Web services: Default bindings for the Web services security collection

Web services security provides message integrity, confidentiality, and authentication

Securing messages using JAX-RPC at the request and response generators

Securing messages using JAX-RPC at the request and response consumers

Configure Web services security using JAX-RPC at the platform level

Migrating V5.x applications with Web services security to V6.1 applications

Developing Web services applications that retrieve tokens from the JAAS Subject in a server application

Developing Web services clients that retrieve tokens from the JAAS Subject in an application

 

Related concepts


Assembly tools

 

Related tasks


Troubleshooting Web services
Tuning Web services security for V6.1 applications
Securing Web services applications at the transport level
Authenticating Web services clients using HTTP basic authentication
Configure trust anchors for the generator binding on the application level
Configure the collection certificate store for the generator binding on the application level
Configure token generators using JAX-RPC to protect message authenticity at the application level
Configure the key locator using JAX-RPC for the generator binding on the application level
Configure the key information using JAX-RPC for the generator binding on the application level
Configure the signing information using JAX-RPC for the generator binding on the application level
Configure encryption using JAX-RPC to protect message confidentiality at the application level
Configure trust anchors for the consumer binding on the application level
Configure the collection certificate store for the consumer binding on the application level
Configure token consumers using JAX-RPC to protect message authenticity at the application level
Configure the key locator using JAX-RPC for the consumer binding on the application level
Configure the key information for the consumer binding on the application level
Configure the signing information using JAX-RPC for the consumer binding on the application level
Configure encryption to protect message confidentiality at the application level
Configure trust anchors on the server or cell level
Configure the collection certificate on the server or cell level
Configure a nonce on the server or cell level
Configure tokens using JAX-RPC to protect message authenticity at the server or cell level
Configure the key locator using JAX-RPC on the server or cell level
Configure the key information for the generator binding on the server or cell level
Configure the signing information using JAX-RPC for the generator binding on the server or cell level
Configure encryption using JAX-RPC to protect message confidentiality at the server or cell level
Configure trusted ID evaluators on the server or cell level
Configure tokens using JAX-RPC to protect message authenticity at the server or cell level
Configure the key information for the consumer binding on the server or cell level
Configure the signing information using JAX-RPC for the consumer binding on the server or cell level
Configure encryption to protect message confidentiality at the server or cell level
Task overview: Implementing Web services applications

 

Related Reference


Security considerations for Web services
rrdSecurity.props file