Secure JAX-WS Web services using message-level security
Overview
Before beginning this task, deploy a JAX-WS application
JAX-WS compliments the JAX-RPC model. JAX-WS offers greater platform independence through the use of dynamic proxies and Java annotations. JAX-WS is also known as JSR 224.
JAX-WS applications can be secured with WS-Security in one of two ways. The application can be secured using policy sets, or through the use of the WS-Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application.
The following sections describe both methods.
To secure JAX-WS client applications with message-level security programmatically, use the WSS API
Secure JAX-WS applications using policy sets
- Specify the message-level protection required
The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.
Specify security tokens using the token type settings, such as:
- Kerberos token
- Username token
- LTPA token
- X.509 token
See also, Manage policy sets
- Set the default WS-Security bindings.
See about bindings, read the topic Set policy set bindings
Set policy sets through metadata exchange (WS-MetadataExchange)
In WAS V7.0, using JAX-WS, we can enable the Web Services Metadata Exchange (WS-MetadataExchange) protocol so that the policy configuration of the service provider is included in the WSDL and is available to a WS-MetadataExchange GetMetadata request. One advantage of using the WS-MetadataExhange protocol is that we can apply message-level security to WS-MetadataExchange GetMetadata requests by using a suitable system policy set. Another advantage is that the client does not have to match the provider configuration, or have a policy set attached. The client only needs the binding information, and then the client can operate based on the provider policy, or based on the intersection of the client and provider policies. Configure a service provider to share its policy configuration using the admin console.
See, read the following topics:
- Set security for a WS-MetadataExchange request
- Set a service provider to share its policy configuration
- Transformation of policy and binding assertions for WSDL
Migration of JAX-WS WS-Security bindings from V6.1 to V7.0
Audit the WS-Security runtime
Secure Web services using policy sets
Set the username and password for WS-Security Username or LTPA token authentication
Set default WS-Security bindings
General JAX-WS default bindings for WS-Security
WS-Security API model
Service Programming Interfaces (SPI)
Secure Web services applications using the WSS APIs at the message level
Secure requests to the trust service using system policy sets
Set the Kerberos token for WS-Security
Related concepts
Transformation of policy and binding assertions for WSDL
JAX-WS
Web services policy sets
Related tasks
Secure Web services applications using the WSS APIs at the message level
Manage policy sets
Attach a policy set to a service artifact
Set policy set bindings
Signing and encrypting message parts using policy sets
Secure requests to the trust service using system policy sets
Set security for a WS-MetadataExchange request
Set a service provider to share its policy configuration
Troubleshooting Web services
Tuning WS-Security for V7.0 applications
Secure Web services applications using message level security