+

Search Tips   |   Advanced Search

 

Securing Web services for V5.x applications based on WS-Security

 

Web services security for WAS is based on standards included in the Web services security (WS-Security) specification. These standards address how to provide protection for messages exchanged in a Web service environment.

There is an important distinction between Version 5.x and V6 and later applications. The information in this article supports V5.x applications only that are used with WebSphere Application Server V6.0.x and later. The information does not apply to V6 and later applications.

The specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.

 

Overview

Use the deprecated "Securing Apache SOAP Web services" topics in the WAS, V5 documentation if you are still using Apache SOAP V2.3.

To secure Web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies, such as public key infrastructure and Kerberos in heterogeneous environments like Microsoft .NET and environments that are based on the J2EE standards. The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.

Specification: Web Services Security (WS-Security) proposes a standard set of SOAP extensions used to to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a user name and password token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates and Kerberos tickets.

To establish a secured environment and to enforce constraints for Web services security, perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference.

An administrator can use any of the following methods to integrate message-level security into a WebSphere Application Server environment:

 

Procedure



Web services security specification—a chronology

Web services security support

Web services security and Java 2 Platform, Enterprise Edition security relationship

Web services security model in WAS

Example: Propagating security tokens

Web services security constraints

Overview of authentication methods

XML digital signature

Securing Web services for V5.x applications using XML digital signature

XML encryption

Securing Web services for V5.x applications using XML encryption

Securing Web services for V5.x applications using basic authentication

Identity assertion in a SOAP message

Securing Web services for V5.x applications using identity assertion authentication

Securing Web services for version 5.x applications using signature authentication

Overview of token types

Security token

Securing Web services for version 5.x applications using a pluggable token

Tuning Web services security for V5.x applications

 

Related tasks


Task overview: Implementing Web services applications

 

Related Reference


Web services: Default bindings for the Web services security collection
Web services: Resources for learning

 

Related information


Security in a Web Services World: A Proposed Architecture and Roadmap
Specification: Web Services Security (WS-Security)