+

Search Tips   |   Advanced Search

Secure Web services applications using the WSS APIs at the message level


Standards and profiles address how to provide protection for messages that are exchanged in a Web service environment. WS-Security is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.

To secure Web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to interoperate between formerly incompatible security technologies in heterogeneous environments. The complete WS-Security protocol stack and technology roadmap is described in the Web services roadmap.

The Organization for the Advancement of Structured Information Standards (OASIS) WS-Security: SOAP Message Security V1.1 specification is the basic messaging transport for all Web services. SOAP 1.2 adds extensions to the existing SOAP 1.1 extensions so that we can build secure Web services. Attachments can be added to SOAP messages by using Message Transmission Optimization Mechanism (MTOM) and XML-binary Optimized Packaging (XOP) instead of the SOAP with Attachments (SWA) profile.

The OASIS WS-Security V1.1 spec is the building block used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models. WS-Security for WAS is based on specific standards that are included in the OASIS WS-Security V1.1 spec and profiles.

The V1.1 specification defines additional facilities for protecting the integrity and confidentiality of a message. The V1.1 spec also provides the mechanisms for associating security-related claims with the message. The WS-Security Version 1.1 standards that are supported by WAS include the signature confirmation, encrypted header elements, the Username Token Profile and the X.509 Token Profile. The Username Token Profile and the X.509 Token Profile have been updated as V1.1 profiles. For the X.509 Certificate Token Profile, one new type of security token reference is the Thumbprint reference, which is specified in the binding.

XML Schema, Part 1 and Part 2 are specifications that explain how schemas are organized in XML documents. The two WS-Security V1.0 schemas have been updated to the V1.1 specifications plus a new V1.1 schema has been added. Note that the Version 1.1 schema does not replace the V1.0 schema but instead builds upon it by defining an additional set of capabilities within a V1.1 namespace. Use the following methods to configure Web services security and to define policy types to secure the SOAP messages:

To secure Web services with WAS, configure the generator and the consumer security constraints. You must specify several different configurations. Although there is no specific sequence to specify these different configurations, some configurations reference other configurations. For example, decryption configurations reference encryption configurations.

 

Results

After completing these high-level steps for WAS, you have secured Web services by configuring policy sets and by using the WSS API to configure encryption and decryption, the signature and signature verification information, and the consumer and generator tokens.


Secure messages at the request generator using WSS APIs
Secure messages at the response consumer using WSS APIs
Set WS-Security using the WSS APIs
Encrypted SOAP headers
Signature confirmation

 

Related concepts


WS-Security API model

 

Related tasks


Set application and system policy sets for Web services using scripting
Secure JAX-WS Web services using message-level security

 

Related


WS-Security APIs
PolicySetManagement
Web services specifications and APIs

 

Related information


WS-Security: SOAP Message Security V 1.1 specification
Security in a Web Services World: A Proposed Architecture and Roadmap