Develop message-level security for JAX-WS web services

JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The Web Services Security service programming interface (WSS SPI) provides additional programming interfaces for securing web services.

Subtopics

• Web Services Security API programming model
  The application server programming model provides Web Services Security programming APIs (WSS API) for securing SOAP messages.

• Develop SAML applications
  Use the SAML library (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. The SAML trust client API provides helper functions that send WS-Trust SOAP requests to the specified external Security Token Service (STS).

• (WAS v8.5.0.1)
• Use Web Services Security SPIs
  We can use the GenericSecurityTokenFactory SPIs to create security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, JAAS login modules, and custom security tokens.

• Secure web services applications using the WSS APIs at the message level
  Standards and profiles address how to provide protection for messages that are exchanged in a web service environment. Web Services Security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.

• Develop JAX-WS based web services client applications that retrieve security tokens
  The security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers.

• Develop JAX-WS based web services server applications that retrieve security tokens
  With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java EE container. The consumer component for Web Services Security stores the security tokens that it receives in the Java Authentication and Authorization Service (JAAS) Subject of the current thread. Retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.