Security model mixture
Applications and protocols might include...
- A Web-based application through the HTTP transport such as a servlet, JSP file, HTML and so on.
- An enterprise application through the RMI over the RMI/IIOP protocol.
- A Web service application through the SOAP over HTTP, SOAP over the JMS, or SOAP over the RMI/IIOP protocol.
Web services are often implemented as servlets with a EJB file. Therefore, we can mix and match the WS-Security model with the Java EE security model for Web and EJB components. It is intended that Web service security complement the Java EE role-based security and the security run time for WAS V6 and later.
WS-Security also can take advantage of the security features in Java EE and the security run time for WAS V 6 and later. For example, WS-Security can use the following security features to provide an end-to-end security deployment:
- Use the local OS, LDAP, and custom user registries for authenticating the username token
- Propagate the LTPA security token in the SOAP message
- Use identity assertion
- Use a TAI
- Enable security attribute propagation
- Use Java EE role-based authorization
- Use a JACC authorization provider, such as TAM
The following figure shows that different security protocols are used to send authentication information to the appserver. For a Web service, we might use either HTTP basic authentication with SSL or a WS-Security username token with signing and encryption. In the following figure, when identity bob from WS-Security is authenticated and set as the caller identity of the SOAP message request, the Java EE Enterprise Java Beans container performs authorization using bob before the call is dispatched to the service implementation, which, in this case, is the enterprise bean.
We can secure a Web service using the transport layer security. For example, when we are using SOAP over HTTP, HTTPS can be used to secure the Web service.
However, transport layer security provides point-to-point security only. This layer of security might be adequate for certain scenarios. However, when the SOAP message must travel through intermediary servers (multi-hop) before it is consumed by the target endpoint, we might use SOAP over the JMS. The usage scenarios and security requirements dictate how to secure Web services. The requirements depend upon the operating environment and the business needs. However, one key advantage of using WS-Security is that it is transport layer independent; the same WS-Security constraints can be used for SOAP over HTTP, SOAP over JMS, or SOAP over RMI/IIOP.