Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security
Develop message-level security for JAX-WS web services
JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The Web Services Security service programming interface (WSS SPI) provides additional programming interfaces for securing web services.
- Web Services Security API programming model
The application server programming model provides Web Services Security programming application programming interfaces (WSS API) for securing SOAP messages.
- Service Programming Interfaces (SPI)
The Web Services Security service programming interface (WSS SPI) provides programming interfaces for securing Web Services Security.
- Develop SAML applications
Use the SAML library API, the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. The SAML trust client API provides helper functions that send WS-Trust SOAP requests to the specified external Security Token Service (STS).
- Secure web services applications using the WSS APIs at the message level
Standards and profiles address how to provide protection for messages that are exchanged in a web service environment. Web Services Security is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
- Develop JAX-WS based web services client applications that retrieve security tokens
The security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers.
- Develop JAX-WS based web services server applications that retrieve security tokens
With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java EE container. The consumer component for Web Services Security stores the security tokens that it receives in the JAAS Subject of the current thread. We can retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.