Web services security specification for V6 and later- a chronology

 

+

Search Tips   |   Advanced Search

 

The development of the Web services security specification includes information on the Organization for the Advancement of Structured Information Standards (OASIS) Web services security specification. The OASIS Web services security specification serves as a basis for securing Web services in WAS V6 and later versions

 

Non-OASIS activities

Web services is gaining rapid acceptance as a viable technology for interoperability and integration. However, securing Web services is one of the paramount quality of services that makes the adoption of Web services a viable industry and commercial solution for businesses. IBM and Microsoft jointly published a security white paper on Web services entitled Security in a Web Services World: A Proposed Architecture and Roadmap. The white paper discusses the following initial and subsequent specifications in the proposed Web services security roadmap:

Web service security

This specification defines how to attach a digital signature, use encryption, and use security tokens in SOAP messages.

WS-Policy

This specification defines the language that is used to describe security constraints and the policy of intermediaries or endpoints.

WS-Trust

This specification defines a framework for trust models to establish trust between Web services.

WS-Privacy

This specification defines a model of how to express a privacy policy for a Web service and a requester.

WS-SecureConversation

This specification defines how to exchange and establish a secured context, which derives session keys between Web services.

WS-Federation

This specification defines a model for trust relationships in a heterogeneous, federated environment, including federated identities management.

WS-Authorization

This specification defines the authorization policy for a Web service. However, the WS-Authorization specification has not been published. The existing implementation of Web services security is based upon the Web Services for J2EE or Java Specification Requirements (JSR) 109 specification. The implementation of Web services security leverages the J2EE role-based authorization checks. For conceptual information on role-based authorization, see Role-based authorization. If you develop a Web service that requires method-level authorization checks, then use stateless session beans to implement your Web service. For more information, see Securing enterprise bean applications.

If you develop a Web service that is implemented as a servlet, you can use coarse-grained or URL-based authorization in the Web container. However, in this situation, you cannot use the identity from Web services security for authorization checks. Instead, you can use the identity from the transport. If you use SOAP over HTTP, then the identity is in the HTTP transport.

This following figure shows the relationship between these specifications:

In April 2002, IBM, Microsoft, and VeriSign proposed the Web Services Security (WS-Security) specification on their Web sites as depicted by the green box in the previous figure. This specification included the basic ideas of a security token, XML digital signature, and XML encryption. The specification also defined the format for user name tokens and encoded binary security tokens. After some discussion and an interoperability test based on the specification, the following issues were noted:

• The specification requires that the Web services security processors understand the schema correctly so that the processor distinguishes between the ID attribute for XML digital signature and XML encryption.

• The freshness of the message, which indicates whether the message complies with predefined time constraints, cannot be determined.

• Digested password strings do not strengthen security.

In August 2002, IBM, Microsoft, and VeriSign published the Web Services Security Addendum, which attempted to address the previously listed issues. The following solutions were addressed in the addendum:

• Require a global ID attribute for XML signature and XML encryption.

• Use time stamp header elements that indicate the time of the creation, receipt, or expiration of the message.

• Use password strings that are digested with a time stamp and nonce, which is a randomly generated token.

The specifications for the blue boxes in the previous figure have been proposed by various industry vendors and various interoperability events have been organized by the vendors to verify and refine the proposed specifications.

 

OASIS activities

In June 2002, OASIS received a proposed Web services security specification from IBM, Microsoft, and Verisign. The Web Services Security Technical Committee (WSS TC) was organized at OASIS soon after the submission. The technical committee included many companies including IBM, Microsoft, VeriSign, Sun Microsystems, and BEA Systems.

In September 2002, WSS TC published its first specification, Web Services Security Core Specification, Working Draft 01. This specification included the contents of both the original Web services security specification and its addendum.

The coverage of the technical committee became larger as the discussion proceeded. Because the Web Services Security Core Specification allows arbitrary types of security tokens, proposals were published as profiles. The profiles described the method for embedding tokens, including Security Assertion Markup Language (SAML) tokens and Kerberos tokens embedded into the Web services security messages. Subsequently, the definitions of the usage for user name tokens and X.509 binary security tokens, which were defined in the original Web Services Security Specification, were divided into the profiles. WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1 support the following specifications:

• Web Services Security: SOAP Message Security Draft 13 (formerly Web Services Security Core Specification)

• Web Services Security: Username Token Profile Draft 2

In April 2004, the Web service security specification (officially called Web Services Security: SOAP Message Security V1.0) became the V1.0 OASIS standard. Also, the Username token and X.509 token profiles are V1.0 specifications. WAS 6 and later support the following Web services security specifications from OASIS:

• Web Services Security: SOAP Message Security 1.0 specification

• Web Services Security: Username Token 1.0 Profile

• Web Services Security: X.509 Token 1.0 Profile

The following figure shows the various Web services security-related specifications.

WAS V6 and later also extend and provide plug-in capability to enable security providers to extend the run-time capability and implement some of the higher level specifications in the Web service security stack. The plug-in points are exposed as Service Provider Programming Interfaces (SPI). For more information on these SPIs, see Default implementations of the Web services security service provider programming interfaces.

 

Web services security specification 1.0 development

The OASIS Web services security V1.0 specification defines the enhancements that are used to provide message integrity and confidentiality. It also provides a general framework for associating the security tokens with a SOAP message. The specification is designed to be extensible to support multiple security token formats. The particular security token usage is addressed with the security token profile. The OASIS Web services security specification is based upon the following World Wide Web Consortium (W3C) specifications. Most of the W3C specifications are in the standard body recommended status.

• XML-Signature Syntax and Processing

  W3C recommendation, February 2002 (Also, IETF RFC 3275, March 2002)

• Canonical XML V1.0

  W3C recommendation, March 2001

• Exclusive XML Canonicalization V1.0

  W3C recommendation, July 2002

• XML-Signature XPath Filter V2.0

  W3C Recommendation, November 2002

• XML Encryption Syntax and Processing

  W3C Recommendation, December 2002

• Decryption Transform for XML Signature

  W3C Recommendation, December 2002

These specifications are supported in WAS V6 and later in the context of Web services security. For example, you can sign a SOAP message by specifying the integrity option in the deployment descriptors. However, there is no API that an application can use for XML signature on an XML element in a SOAP message.

The OASIS Web services security V1.0 specification defines the enhancements that are used to provide message integrity and confidentiality. It also provides a general framework for associating the security tokens with a SOAP message. The specification is designed to be extensible to support multiple security token formats. The particular security token usage is addressed with the security token profile.

 

Specification and profile support in WebSphere Application Server V6 and later

OASIS is working on various profiles. For more information, see Organization for the Advancement of Structured Information Standards Committees.

The following list includes of the published draft profiles and OASIS Web services security technical committee work in progress.

WAS V6 and later do not support these profiles:

• Web Services Security: SAML token profile 1.0

• Web Services Security: Rights Expression Language (REL) token profile 1.0

• Web Services Security: Kerberos token profile 1.0

• Web Services Security: SOAP Messages with Attachments (SwA) profile 1.0

Support for Web services security draft 13 and Username token profile draft 2 in WebSphere Application 5.0.2, 5.1.0 and 5.1.1 is deprecated. For migration information, see Migrating V5.x applications with Web services security to V6.1 applications.

The wire format of the SOAP message with Web services security in Web services security Version 1.0 has changed and is not compatible with previous drafts of the OASIS Web services security specification. Interoperability between OASIS Web services security V1.0 and previous Web services security drafts is not supported. However, it is possible to run an application that is based on Web services security draft 13 on WAS V6 and later. The application can inter-operate with an application that is based on Web services security draft 13 on WAS V5.0.2, 5.1 or 5.1.1.

WebSphere Application Server V6 and later support both the OASIS Web services security draft 13 and the OASIS Web services security 1.0 specification. But in WAS V6 and later, the support of OASIS Web services security draft 13 is deprecated. However, applications that were developed using OASIS Web services security draft 13 on WebSphere Application Server 5.0.2, 5.1.0 and 5.1.1 can run on WAS Version 6 and later. OASIS Web services security V1.0 support is available only for J2EE V1.4 applications. The configuration format for the deployment descriptor and the binding is different from previous versions of WAS. You must migrate the existing applications to J2EE 1.4 and migrate the Web services security configuration to the WAS V6 format.

 

Web Services Interoperability Organization (WS-I) activities

Web Services Interoperability Organization (WS-I) is an open industry effort to promote Web services interoperability across vendors, platforms, programming languages and applications. The organization is a consortium of companies across many industries including IBM, Microsoft, Oracle, Sun, Novell, VeriSign, and Daimler Chrysler. WS-I began working on the basic security profile (BSP) in the spring of 2003. BSP consists of a set of non-proprietary Web services specifications that clarifies and amplifies those specifications to promote Web services security interoperability across different vendor implementations. As of June 2004, BSP is a public draft. For more information, see the Web Services Interoperability Organization.

Specifically, see Basic Security Profile V1.0 for details about the BSP. WAS supports compliance with the BSP. See Basic Security Profile compliance tips for the details to configure your application in compliance with the BSP.

---

 

Related concepts

Default implementations of the Web services security service provider programming interfaces
Role-based authorization
Basic Security Profile compliance tips
What is new for securing Web services

 

Related tasks

Migrating V5.x applications with Web services security to V6.1 applications
Developing Web services applications from enterprise beans
Securing enterprise bean applications