WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services SecurityDevelop message-level security for JAX-WS web services
JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The Web Services Security service programming interface (WSS SPI) provides additional programming interfaces for securing web services.
Subtopics
- Web Services Security API programming model
The application server programming model provides Web Services Security programming application programming interfaces (WSS API) for securing SOAP messages.- SPI
The Web Services Security service programming interface (WSS SPI) provides programming interfaces for securing Web Services Security.- Develop SAML applications
Use the SAML library API, the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. The SAML trust client API provides helper functions that send WS-Trust SOAP requests to the specified external security token service (STS).- Use Web Services Security SPIs
We can use the GenericSecurityTokenFactory SPIs to create security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, JAAS login modules, and custom security tokens.- Secure web services applications using the WSS APIs at the message level
Standards and profiles address how to provide protection for messages that are exchanged in a web service environment. Web Services Security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.- Develop JAX-WS based web services client applications that retrieve security tokens
The security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers.- Develop JAX-WS based web services server applications that retrieve security tokens
With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java EE container. The consumer component for Web Services Security stores the security tokens that it receives in the Java Authentication and Authorization Service (JAAS) Subject of the current thread. We can retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.