Secure Web services applications using message level security


 

+

Search Tips   |   Advanced Search

 

OASIS WS-Security is a message-level standard based on securing SOAP messages through...

WAS Version 7 supports V1.1 of the WS-Security specification, including features such as...

In addition, limited security scenario support is provided for...

Security requirements include...

WS-Security SOAP Message Security 1.1 provides integrity and confidentiality protection using digital signature and encryption technologies.

In addition, WS-Security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. WS-Security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the SOAP Message Security 1.1 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.

While WS-Security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, WS-Security cannot be used to protect SOAP fault messages.

 

Compatibility between WS-Security Draft 13 and WS-Security standard Vs 1.0 and 1.1

The WS-Security standard has evolved over the years, from a draft to an OASIS standard. WAS V5.02 introduced support for the WS-Security Draft 13, and support for WS-Security 1.0 was introduced beginning with WAS V6.0. WS-Security V1.1 is supported by WAS V6.1 Feature Pack for Web Services, using the JAX-WS runtime only.

A WS-Security Draft 13 client is not compatible with providers that use WS-Security V 1.0 or V1.1. Use Draft 13 client to communicate with a Draft 13 Web services provider. We cannot use a Draft 13 client to communicate with a WS-Security V1.0 provider, or a V 1.1 provider. This issue arises because the SOAP message format for the WS-Security header and namespace is different between a WS-Security Draft 13–enabled application and a WS-Security V1.0 or V 1.1–enabled application. The version of the WS-Security standard used also has implications for the required version of the Java EE application:

 

Related tasks

What is new for securing Web services
WS-Security configuration considerations
Default bindings and runtime properties for WS-Security
WS-Security provides message integrity, confidentiality, and authentication
Secure JAX-WS Web services using message-level security
Secure JAX-RPC Web services using message level security
Enable hardware cryptographic devices for WS-Security
Secure Web services for V5.x applications based on WS-Security
Task overview: Implement Web services applications

 

See also

Security in a Web Services World: A Proposed Architecture and Roadmap.