Administering Web Services Security
To secure web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. We can choose to configure Web Services Security for the application level, the server level or the cell level, depending upon the environment and security needs.
Subtopics
- Configure HTTP outbound transport level security with the administrative console
We can configure HTTP outbound transport level security with the administrative console.
- Configure HTTP outbound transport level security using Java properties
We can configure the HTTP outbound transport level security for a web service using Java properties.
- Configure HTTP basic authentication for JAX-RPC web services with the administrative console
We can configure HTTP basic authentication for JAX-RPC web services with the administrative console.
- Build XPath expressions for WS-Security
JAX-RPC and JAX-WS WS-Security configurations use XML-based SOAP messages to exchange information between applications. We can use an XPath expression to select specific elements in a SOAP message to sign or encrypt.
- Configure custom properties to secure web services
We can configure name-value pairs of data, where the name is a property key and the value is a string value that we can use to set internal system configuration properties. Defining a new property enables you to configure a setting beyond that which is available through options in the administrative console.
- Service Programming Interfaces (SPI)
The Web Services Security service programming interface (WSS SPI) provides programming interfaces for securing Web Services Security.
- Administer message-level security for JAX-WS web services
Web Services Security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a web services environment. Using JAX-WS, development of web services and clients is simplified with greater platform independence for Java applications through the use of dynamic proxies and Java annotations.
- Administer message-level security for JAX-RPC web services
The Java™ API for XML-based RPC (JAX-RPC) specification enables you to develop SOAP-based interoperable and portable web services and web service clients. JAX-RPC simplifies development of web services by shielding you from the underlying complexity of SOAP communication, and enables clients to access a web service as if the web service was a local object mapped into the client's address space.
- Enable cryptographic keys stored in hardware devices for Web Services Security
We can enable Web Services Security by using cryptographic hardware devices for both web service clients and web service providers that are running in the WAS environment.
- Configure XML digital signature for Version 5.x web services with the administrative console
XML digital signature provides both message integrity and authentication capabilities when it is used with SOAP messages. XML digital signature is one of the methods WebSphere Application Server provides to secure web services. We can use the WAS administrative console to configure XML digital signature.
- Configure XML encryption for Version 5.x web services with the administrative console
XML encryption is one method that WebSphere Application Server provides to secure web services. We can use XML encryption in conjunction with XML digital signature to scramble the content while verifying the authenticity of the message sender. Using XML encryption, we can encrypt an XML element, the content of an XML element, or arbitrary data such as an XML document.
- Build XPath expressions for WS-Security
JAX-RPC and JAX-WS WS-Security configurations use XML-based SOAP messages to exchange information between applications. We can use an XPath expression to select specific elements in a SOAP message to sign or encrypt.