Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services


Secure web services using policy sets

Policy sets are assertions about how services are defined. They are used to simplify the quality of service configuration for web services. Policy sets combine configuration settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, and WS-Security. There are two main types of policy sets; application policy sets and system policy sets. Application policy sets are used for business-related assertions. These assertions are related to the business operations that are defined in the WSDL file. System policy sets, on the other hand, are used for non-business-related system messages. These messages are not related to the business operations that are defined in the WSDL, but instead refer to messages that are defined in other specifications which apply qualities of service (QoS). Such QoS are the request security token (RST) messages that are defined in WS-Trust, or create sequence messages that are defined in WS-Reliable Messaging metadata exchange messages of the WS-MetadataExchange.

We can use policy sets only with Java™ API for JAX-WS applications. We cannot use policy sets with JAX-RPC applications.

Policies are defined based on a quality of service. Policy definition is typically based on WS-Policy standard language, for example, the WS-Security policy is based on the current WS-SecurityPolicy from the Organization for the Advancement of Structured Information Standards (OASIS) standards.

Policy sets do not include environment or platform-specific information, such as keys for signing, keystore information, or persistent store information. This type of information is defined in the binding. A policy set attachment defines how a policy set is attached to service resources and bindings. The attachment definition is outside the policy set definition and is defined as meta-data associated with application data.

To secure JAX-WS web services with message-level security using policy sets, follow these steps:


Procedure

  1. Select, create, or copy and modify a policy set to specify the message-level protection required. The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.

    • Select one of the web services policy sets.

    • Create, copy, modify, import, export or delete a policy set. For more information, read about managing policy sets

  2. Attach the policy set to the application.

  3. Create or select the policy set bindings to be used. The bindings are then attached to the application along with the policy set. The bindings used can either be general bindings that can be shared among applications or application specific bindings. For more information, read about defining and managing policy set bindings.

  4. If WS-SecureConversation is being used, specify the trust service system policy sets and bindings on the application server.


Related


Configure policy set and bindings to encrypt a UsernameToken
JAX-WS
Web services policy sets
Secure requests to the trust service using system policy sets
Manage policy sets
Attach a policy set to a service artifact
Define and managing policy set bindings
Secure JAX-WS web services using message-level security

+

Search Tips   |   Advanced Search