Supported functionality from OASIS specifications

Supported functionality from OASIS specifications

WAS supports these OASIS WS-Security V1.0 specifications.

OASIS: WS-Security: SOAP Message Security 1.0
OASIS: WS-Security: UsernameToken Profile 1.0
OASIS: WS-Security X.509 Certificate Token Profile 1.0

In WAS V6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to WS-Security V1.1...

OASIS: WS-Security: SOAP Message Security 1.1
OASIS: WS-Security UsernameToken Profile 1.1
OASIS: WS-Security X.509 Certificate Token Profile 1.1

The following standards are supported only in WAS V7.0.

WS-Security Kerberos Token Profile 1.1
WS-SecureConversation V1.3
WS-Trust V1.3
WS-SecurityPolicy V1.2

WS-SecurityPolicy support is only available for WS-MetadataExchange scenarios where the assertions are embedded in the WSDL file.
In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WAS V7.

WS-SecureConversation
WS-Trust
WS-SecurityPolicy

OASIS: WS-Security SOAP Message Security 1.0 and 1.1

The following table shows the aspects of the OASIS: WS-Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WAS Versions 6 and later.

Supported topic Specific aspect that is supported
Security header

@S11:actor (for an intermediary)
@S11:mustUnderstand
@S12:mustUnderstand
@S12:role

S12 is the namespace prefix for...
http://www.w3.org/2003/05/soap-envelope

...when using SOAP V1.2
Security tokens

Username token (user name and password)
Binary security token (X.509 and LTPA
Custom token

Other binary security token
XML token

WAS does not provide an XML token implementation, but we can use an XML token with plug-in point.
Token references

Direct reference
Key identifier
Key name
Embedded reference

Signature Signature confirmation
Signature algorithms

Digest

SHA1
SHA256
SHA512

MAC

HMAC-SHA1

Signature

DSA with SHA1

Do not use this algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP)
RSA with SHA1

Canonicalization

Canonical XML (with comments)
Canonical XML (without comments)
Exclusive XML canonicalization (with comments)
Exclusive XML canonicalization (without comments)

Aspects of OASIS Trust V1.3 standard that are unsupported in WAS

Unsupported topic Specific aspect not supported
Elements and attributes
/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type
Unsupported request options:

For...
docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey
docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

/wst:RequestSecurityToken/wst:Claims
/wst:RequestSecurityToken/wst:AllowPostdating
/wst:RequestSecurityToken/wst:OnBehalfOf
/wst:RequestSecurityToken/wst:AuthenticationType
/wst:RequestSecurityToken/wst:KeyType

For...
docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer

/wst:RequestSecurityToken/wst:SignatureAlgorithm
/wst:RequestSecurityToken/wst:EncryptionAlgorithm
/wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
/wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
/wst:RequestSecurityToken/wst:Encryption
/wst:RequestSecurityToken/wst:ProofEncryption
/wst:RequestSecurityToken/wst:UseKey
/wst:RequestSecurityToken/wst:UseKey/@Sig
/wst:RequestSecurityToken/wst:SignWith
/wst:RequestSecurityToken/wst:EncryptWith
/wst:RequestSecurityToken/wst:DelegateTo
/wst:RequestSecurityToken/wst:Forwardable
/wst:RequestSecurityToken/wst:Delegatable
/wst:RequestSecurityToken/wsp:Policy
/wst:RequestSecurityToken/wsp:PolicyReference

Response header
/wsa:Action
Unsupported Responses:

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate

Related concepts
WS-MetadataExchange requests
Encrypted SOAP headers
Signature confirmation
Basic Security Profile compliance tips
What is new for securing Web services

Related tasks
Enable MTOM for JAX-WS Web services

Related
Encryption information settings: Message parts

Supported topic	Specific aspect that is supported
Security header	@S11:actor (for an intermediary) @S11:mustUnderstand @S12:mustUnderstand @S12:role S12 is the namespace prefix for... http://www.w3.org/2003/05/soap-envelope ...when using SOAP V1.2
Security tokens	Username token (user name and password) Binary security token (X.509 and LTPA Custom token Other binary security token XML token WAS does not provide an XML token implementation, but we can use an XML token with plug-in point.
Token references	Direct reference Key identifier Key name Embedded reference
Signature	Signature confirmation
Signature algorithms	Digest SHA1 SHA256 SHA512 MAC HMAC-SHA1 Signature DSA with SHA1 Do not use this algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP) RSA with SHA1 Canonicalization Canonical XML (with comments) Canonical XML (without comments) Exclusive XML canonicalization (with comments) Exclusive XML canonicalization (without comments)