High-level architecture for Web Services Security

WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication
High-level architecture for Web Services Security

The Web Services Security policy is specified in the IBM extension of the web services deployment descriptors when using the JAX-RPC programming model, and in policy sets when using the JAX-WS programming model. A stand-alone JAX-WS client application may specify Web Services Security policy programmatically. Binding data that supports the Web Services Security policy are stored in the IBM extension of the web services deployment descriptors for both the JAX-RPC and JAX-WS programming models. The Web Services Security run time enforces the security assertions specified in the policy document, or in the application program, in that order.
Best practice: IBM WebSphere Application Server supports the JAX-WS programming model and the (JAX-RPC) programming model. JAX-WS is the next generation web services programming model extending the foundation provided by the JAX-RPC programming model. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although the JAX-RPC programming model and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. best-practices
WAS uses the Java EE v1.4 or later web services deployment model to implement Web Services Security. One of the advantages of deployment model is that we can define the Web Services Security requirements outside of the application business logic. With the separation of roles, the application developer can focus on the business logic and the security expert can specify the security requirement.
The following figure shows the high-level architecture model used to secure web services in WAS:

The WSS API can also be used to secure the message, as illustrated later in this section:

There are two sets of configurations on both the client side and the server side:

Request generator

This client-side configuration defines the Web Services Security requirements for the outgoing SOAP message request. These requirements might involve generating a SOAP message request that uses a digital signature, incorporates encryption, and attaches security tokens. In WAS Versions 5.0.2, 5.1, and 5.1.1, the request generator was known as the request sender.

Request consumer

This server-side configuration defines the Web Services Security requirements for the incoming SOAP message request. These requirements might involve verifying the required integrity parts are digitally signed; verifying the digital signature; verifying the required confidential parts were encrypted by the request generator; decrypting the required confidential parts; validating the security tokens, and verifying the security context is set up with the appropriate identity. In WAS Versions 5.0.2, 5.1, and 5.1.1, the request consumer was known as the request receiver.

Response generator

This server-side configuration defines the Web Services Security requirements for the outgoing SOAP message response. These requirements might involve generating the SOAP message response with Web Services Security; including digital signature; and encrypting and attaching the security tokens, if necessary. In WAS Versions 5.0.2, 5.1, and 5.1.1, the response generator was known as the response sender.

Response consumer

This client-side configuration defines the Web Services Security requirements for the incoming SOAP response. The requirements might involve verifying the integrity parts are signed and the signature is verified; verifying the required confidential parts are encrypted and the parts are decrypted; and validating the security tokens. In WAS Versions 5.0.2, 5.1, and 5.1.1, the response consumer was known as the response receiver.

WAS does not include security policy negotiation or exchange between the client and server. This security policy negotiation, as defined by the WS-Policy, WS-PolicyAssertion, and WS-SecurityPolicy specifications, are not supported in WAS.
The Web Services Security requirements that are defined in the request generator must match the request consumer. The requirements that are defined in the response generator must match the response consumer. Otherwise, the request or response is rejected because the Web Services Security constraints cannot be met by the request consumer and response consumer.
The format of the Web Services Security deployment descriptors and bindings are IBM proprietary. However, the following tools are available to edit the deployment descriptors and bindings:

IBM assembly tools

Use IBM assembly tools to edit the Web Services Security deployment descriptor and binding. Use the tools to assemble both web and EJB modules. For more information, read about assembly tools.

WAS Administrative Console

Use this tool to edit the Web Services Security binding of a deployed application.

Subtopics

Security authorization models
Provider applications implemented as either servlets or Enterprise JavaBeans (EJBs) can use web services and be protected by Web services security. Java Platform, Enterprise Edition (Java EE) role-based authorization can be used to control access to web service provider applications implemented as either servlets or EJBs. Although security roles for servlet and EJB implementations are configured the same way, access to the services differs by implementation.
Security model mixture
There can be multiple protocols and channels in the WAS v6 and later programming environments. Each of these applications serve different business needs.
Overview of platform configuration and bindings
The Web Services Security policy is specified in the IBM extension of the web services deployment descriptors when using the JAX-RPC programming model, and in policy sets when using the JAX-WS programming model. Binding information to support the Web Services Security policy is stored in the IBM extension of the web services deployment descriptors for both the JAX-RPC and JAX-WS programming models.
Default configuration
We can use sample configurations with the dmgr console for testing purposes.
Default implementations of the Web Services Security service provider programming interfaces
This information describes the default implementations of the service provider interfaces (SPI) for Web Services Security within WAS. The default implementation classes and their functionality for both the JAX-RPC run time and the JAX-WS run time are discussed. We can use this information to create or modify the Web Services Security binding configuration.

Related concepts:

Development and assembly tools

Reference:

Request generator (sender) binding configuration settings
Request consumer (receiver) binding configuration settings
Response generator (sender) binding configuration settings
Response consumer (receiver) binding configuration settings

+
Search Tips | Advanced Search