Supported functionality from OASIS specifications


WAS supports these OASIS WS-Security V1.0 specifications.

In WAS V6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to WS-Security V1.1...

The following standards are supported only in WAS V7.0.

WS-SecurityPolicy support is only available for WS-MetadataExchange scenarios where the assertions are embedded in the WSDL file.

In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WAS V7.


OASIS: WS-Security SOAP Message Security 1.0 and 1.1

The following table shows the aspects of the OASIS: WS-Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WAS Versions 6 and later.

Supported topic Specific aspect that is supported
Security header

  • @S11:actor (for an intermediary)
  • @S11:mustUnderstand
  • @S12:mustUnderstand
  • @S12:role

S12 is the namespace prefix for...

...when using SOAP V1.2

Security tokens

WAS does not provide an XML token implementation, but we can use an XML token with plug-in point.

Token references

  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference
Signature Signature confirmation
Signature algorithms


Aspects of OASIS Trust V1.3 standard that are unsupported in WAS

Unsupported topic Specific aspect not supported
Elements and attributes


Unsupported request options:

  • For...

    • /wst:RequestSecurityToken/wst:Claims
    • /wst:RequestSecurityToken/wst:AllowPostdating
    • /wst:RequestSecurityToken/wst:OnBehalfOf
    • /wst:RequestSecurityToken/wst:AuthenticationType
    • /wst:RequestSecurityToken/wst:KeyType

  • For...

    • /wst:RequestSecurityToken/wst:SignatureAlgorithm
    • /wst:RequestSecurityToken/wst:EncryptionAlgorithm
    • /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
    • /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
    • /wst:RequestSecurityToken/wst:Encryption
    • /wst:RequestSecurityToken/wst:ProofEncryption
    • /wst:RequestSecurityToken/wst:UseKey
    • /wst:RequestSecurityToken/wst:UseKey/@Sig
    • /wst:RequestSecurityToken/wst:SignWith
    • /wst:RequestSecurityToken/wst:EncryptWith
    • /wst:RequestSecurityToken/wst:DelegateTo
    • /wst:RequestSecurityToken/wst:Forwardable
    • /wst:RequestSecurityToken/wst:Delegatable
    • /wst:RequestSecurityToken/wsp:Policy
    • /wst:RequestSecurityToken/wsp:PolicyReference
Response header


Unsupported Responses:



Related concepts

WS-MetadataExchange requests
Encrypted SOAP headers
Signature confirmation
Basic Security Profile compliance tips
What is new for securing Web services


Related tasks

Enable MTOM for JAX-WS Web services



Encryption information settings: Message parts