What is new for securing Web services


 

+

Search Tips   |   Advanced Search

 

Enhancements from the supported WS-Security specifications

Web Services security V1.1 is part of the WS-Security roadmap.

WAS V7 supports the following OASIS specifications and WS-I profiles:

For details on what parts of the previous specifications are supported in WAS, see Supported functionality from OASIS specifications.

 

High level features overview in WAS

In WAS, the WS-Security for SOAP Message V1.1 specification is designed to be flexible and accommodate the requirements of Web services. For example, the spec does not have a mandatory security token definition. Instead, the spec defines a generic mechanism to associate the security token with a SOAP message. The use of security tokens is defined in the various V1.0 and 1.1 security token profiles, such as:

See on security token profile development at OASIS, see Organization for the Advancement of Structured Information Standards.

The WS-Security for SOAP Message Version 1.1 updates the WS-Security for SOAP Message core specification and the various security token profiles. For this release, WAS implements the Username Token Profile 1.1 and the X.509 Token Profile 1.1, which includes support for the Thumbprint type of security token reference.

In addition, it supports the signature confirmation and encrypted header portions of the WS-Security V1.1 standard.

The wire format (such as namespaces) in the WS-SecureConversation and WS-Trust 1.3 spec has changed. WAS version 7 tolerates requests formatted according to both the Submission Drafts and version 1.3 specifications, but ensure that the correct version is used when version 7 clients are communicating with a Web Services Feature Pack service provider. We can disable tolerance of the older format for WS-SecureConversation and WS-Trust 1.3 endpoints. Submission Drafts requests are not interoperable with version 1.3 standards.

Support for pluggable security tokens has been available since WAS Version 5.0.2. However, in WAS Versions 6.x and 7, the pluggable architecture is enhanced to support the WS-Security specifications, other profiles, and other WS-Security specifications. We can learn more about the pluggable security token framework for JAX-RPC Web Services, and associating custom security tokens with SOAP messages, by reading these articles on the IBM developerWorks Web site:

WAS V7 includes the following key enhancements:

See on some of these enhancements, see WS-Security enhancements.

 

Configuration of WS-Security

WAS uses the policy set model for implementing the WS-Security V1.1 specification, including...

Policy sets combine settings, including those for transport and message level configuration, such as...

Use the admin console to configure the WS-Security binding of a deployed application with WS-Security constraints defined in the policy set.

For the X.509 Certificate Token Profile, one new type of security token reference is the Thumbprint reference, which is specified in the binding. WAS now supports creating and authenticating a security token by using a security token reference (STR) with a key identifier and a Thumbprint in the <KeyInfo> element. The Thumbprint key information type requires that there be a keystore with the public and private key pair instead of a shared key. To use the Thumbprint of the specified certificate, specify the keyInfo type THUMBPRINT in the bindings.

For example, a decryption key is referenced by means of the thumbprint of an associated certificate.

The certificate is not included in the message. Instead, the <ds:KeyInfo> element contains a <wsse:SecurityTokenReference> element that specified the thumbprint of the specified certificate by means of the attribute...

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

...of the <wsse:KeyIdentifier> element.

To take advantage of implementations associated with the WS-Security Version 1.1 specification, :

WAS provides the following tools that we can use to edit the policy set file and the binding file:

IBM assembly tools

Use IBM assembly tools to develop Web services and configure the policy set and the binding file for WS-Security. The tools enable you to assemble both Web and EJB modules. The assembly tools do not support direct editing of policy sets, but can import policy sets from the appserver, and then attach the modified policy sets to the service.

We can use policy sets only with JAX-WS applications. We cannot use policy sets with JAX-RPC applications.

WAS admin console

Use the admin console to configure the WS-Security binding of a deployed application with WS-Security constraints defined in the policy set.

 

What is not supported

Web service security is still fairly new and some of the standards are still being defined or standardized.

The following functionality is not supported in WAS:

The following standards exist for the Java API for XML security and WS-Security:

For information on what is supported for WS-Security in WAS, see Supported functionality from OASIS specifications.


Subtopics

WS-Security enhancements
Supported functionality from OASIS specifications
WS-Security spec - a chronology
Basic Security Profile compliance tips
XML token
Assembly tools Manage policy sets
Secure Web services applications using message level security