General JAX-WS default bindings for Web Services Security
General bindings are used as the default bindings at the cell level or server level, or for multiple domains, at the domain level. The general bindings that are included with WebSphere Application Server are initially set as the default bindings. However, we can choose a different binding as the default, or change the level of binding used as the default, for example, from cell-level binding to server-level binding.
Policy set bindings defined
Policy set bindings contain platform-specific information, such as keystore, authentication information or persistent information, required by a policy set attachment. In WAS v7 and later, there are two types of bindings: application-specific bindings, and general bindings. Both types of bindings are supported for WS-Security policy sets. General bindings can be used as default bindings, and can also be shared across multiple applications and for trust service attachments. There are two types of general bindings: one for service providers and one for service clients. We can define multiple general bindings for the provider and also for the client. However, only one general provider binding and one general client binding can be designated as the default.
Default bindings are used when no application-specific binding or trust service binding has been assigned to a policy set attachment. We can choose the general provider and general client bindings, used as the default bindings for the cell. These are the global security settings. Likewise, we can choose the general provider and general client bindings, used as the default bindings for a server. For specific information about selecting bindings, see the topic Define and manage policy set bindings.
Set the default bindings
To define and manage general bindings, in the console click Services > Policy sets > General provider policy set bindings or Services > Policy sets > General client policy set bindings. To manage bindings for the cell or the domain, click Services > Policy sets > Default policy set bindings. The general service provider and client bindings have independent settings that we can customize to meet the needs of the environment. To learn more about general bindings, read the topic Defining and managing policy set bindings.
In addition to choosing default bindings for the cell (global security), we can also choose the general provider and general client bindings to use as the default bindings for a server. When are using the JAX-WS programming model and want to specify the server default bindings, log on to the console and click Servers > Server Types > WebSphere application servers > server_name. In the Security section of the console page, click Default policy set bindings.
Applications use of default, general and applications specific bindings
Two kinds of bindings can be explicitly attached to an applications: general bindings and application specific bindings. The following rules are used for the use for the default bindings in WS-Security:
- When there is no binding explicitly attached, only the default binding will be used.
- When a general binding is explicitly attached, the default binding will not be used.
- When an application specific binding is attached, both the application specific and the default binding are used.
When an application specific binding has been attached to an application, the application specific binding is applied first, then the default binding is used to fill in the gaps. However, the portions of the configuration that reside in either the application specific binding of the default binding must be encapsulated. For example, if a policy is defined to use XML Digital Signature and it picks up the sign part from the default binding, everything related to the sign part (X.509 token consumer, trust store, etc) must reside in the default binding. The sign part in a default binding cannot pick up an X.509 token consumer that has been configured in an application specific binding. However, if a policy is defined to use XML Digital Signature and an LTPA token, the LTPA token generator can reside in the application specific binding and the signing configuration can reside in the default binding.
The encapsulation rule does not apply to a caller configuration. Since the caller configuration refers to a token type and not a binding reference, a caller configuration can reside in an application specific binding when the token consumer for the token it refers to resides in the default binding and vice versa.
When a general binding is specifically attached, since the default binding is not available to be used, unlike an application specific binding, all binding configuration information required to satisfy the policy must be contained within the general binding.
For specific information about selecting bindings, see the topic Defining and managing policy set bindings.
Access of default bindings at the server and cell level
The general bindings that are included with WebSphere Application Server are initially set as the cell default bindings. We cannot delete a binding that has been selected as the default binding for server, a domain, or the cell. Before we delete a binding that is selected as the default, you must select a different default binding, or specify that the defaults for the cell (global security) should be used.
The following default bindings are shipped with the product:
- Provider sample
- Client sample
- Version 6.1 default policy set bindings
The Version 6.1 bindings are used only if a WAS v6.1 Feature Pack for Web Services application is installed within the WAS v7 and later environment. For more information on these bindings, see the topic Version 6.1 default policy set bindings.
Important: Do not use the provider and client sample bindings that are included with WebSphere Application Server in their current state in a production environment. We must modify these bindings to meet the security needs before using them in a production environment by making a copy of the bindings and then modifying the copy. For example, change the key and keystore settings to ensure security, and modify the binding settings to match your environment.
For a detailed description of the general sample bindings, see the topic General sample bindings for JAX-WS applications.
Multiple security domains
In an environment with multiple security domains, we can also choose the general provider and general client bindings, used as the default bindings for a domain. If we do not choose a binding to be the default for a server, the default bindings for the domain in which the server resides are used. If we do not choose a binding to be the default for a domain, the default bindings for the cell (global security) are used. We must choose default provider and default client bindings for the cell.
Related tasks
Define and manage policy set bindings
Version 6.1 default policy set bindings