Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts
Overview of standards and programming models for web services message-level security
Web Services Security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a web services environment.
To secure web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies in heterogeneous environments. The complete Web Services Security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.
Web Services Security standards
The Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security (WS-Security) specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web Services Security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. WAS supports v1.1 of the Web Services Security specification, including features such as encrypted header, thumbprint and signature configuration, username token profile and X.509 token profile. In addition, limited security scenario support is provided for the Kerberos v1.1 token profile, WS-SecureConversation v1.3, WS-Trust Version 1.3, and WS-SecurityPolicy v1.2.
The Web Services Security SOAP Message Security 1.1 specification outlines a standard set of SOAP 1.1 extensions that you can use to build secure web services. These standards provide integrity and confidentiality protection, which are generally implemented with digital signature and encryption technologies. In addition, Web Services Security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web Services Security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the SOAP Message Security 1.1 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.
It is important to note that while Web Services Security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, Web Services Security cannot be used to protect SOAP fault messages.
Compatibility between WS-Security Draft 13 and WS-Security standard Versions 1.0 and 1.1
The WS-Security standard has evolved over the years, from a draft to an OASIS standard. WAS v5.02 introduced support for the WS-Security Draft 13, and support for WS-Security 1.0 was introduced beginning with WAS v6.0. WS-Security v1.1 is supported by WAS v6.1 Feature Pack for Web Services, using the JAX-WS runtime only. The topic Web Services Security specification - a chronology provides more details about the evolution of this support.
It is important to note that a WS-Security Draft 13 client is not compatible with providers that use WS-Security Version 1.0 or v1.1. We must use Draft 13 client to communicate with a Draft 13 web services provider. We cannot use a Draft 13 client to communicate with a WS-Security v1.0 provider, or a Version 1.1 provider. This issue arises because the SOAP message format for the WS-Security header and namespace is different between a WS-Security Draft 13–enabled application and a WS-Security v1.0 or Version 1.1–enabled application.
The version of the WS-Security standard used also has implications for the required version of the Java EE application:
- Java EE Version 1.3 is used only with WS-Security Draft 13.
- Java EE v1.4 and later is used with WS-Security Version 1.0 (JAX-RPC and JAX-WS), and also WS-Security v1.1 (JAX-WS).
The following diagram illustrates these compatibility considerations:
To secure web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.
Because of the relationship between the different Web Services Security configurations, IBM recommends that you specify the configurations on each level of the configuration in the order described in the following sections. We can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon the environment and security needs.
Web Services Security programming models
Take advantage of the easy-to-implement Java™ API for JAX-WS programming model to develop new web services applications and clients. JAX-WS is the next generation web services programming model. Using JAX-WS, development of web services and clients is simplified, with greater platform independence for Java applications through the use of dynamic proxies and Java annotations. JAX-WS simplifies application development through support of a standard, annotation-based model to develop web service applications and clients. JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API).
To secure web services using the JAX-WS programming model, begin with the topic Secure JAX-WS web services using message-level security.
The Java™ API for XML-based RPC (JAX-RPC) specification enables you to develop SOAP-based interoperable and portable web services and web service clients. JAX-RPC 1.1 provides core APIs for developing and deploying web services on a Java platform and is a part of the Web Services for Java EE platform. IBM WAS supports both JAX-WS and JAX-RPC. JAX-WS is the next generation web services programming model, extending the foundation provided by JAX-RPC.
To secure web services using JAX-RPC, begin with the topic Secure JAX-RPC web services using message-level security.
What is new for securing web services
Secure JAX-WS web services using message-level security
Secure JAX-RPC web services using message-level security
Enable hardware cryptographic devices for Web Services Security
Related
Web Services Security configuration considerations