WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > What is new for securing web services

Supported functionality from OASIS specifications

The application server supports the Organization for the Advancement of Structured Information (OASIS) WS-Security specifications.

WebSphere Application Server supports these OASIS Web Services Security v1.0 specifications.

In WAS v6.1 Feature Pack for Web Services, and later, support for the OASIS standards has been updated to the latest versions of WS-Security specifications and tokens. Web Services Security v1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the inter-operability scenarios that use features from Web Services Security v1.1.

The following standards are supported only in WAS v7.0 and later.

WS-SecurityPolicy support is only available for Web Services Metadata Exchange (WS-MetadataExchange) scenarios where the assertions are embedded in the WSDL file. For more information, read the WS-MetadataExchange requests topic.

In 2007, the OASIS Web Services Secure Exchange Technical Committee (WS-SX) produced and approved the following specifications. Portions of these specifications are supported by WAS v7 and later.


OASIS: Web Services Security SOAP Message Security 1.0 and 1.1

The following table shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 and 1.1 specifications that are supported in WAS Versions 6 and later.

Aspects of OASIS SOAP Message Security standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Security header

  • @S11:actor (for an intermediary)
  • @S11:mustUnderstand
  • @S12:mustUnderstand
  • @S12:role (S12 is the namespace prefix for http://www.w3.org/2003/05/soap-envelope when using SOAP v1.2)

Security tokens

Token references

  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference

Signature Signature confirmation
Signature algorithms

  • Digest

    SHA1

    http://www.w3.org/2000/09/xmldsig#sha1

    SHA256

    http://www.w3.org/2001/04/xmlenc#sha256

    SHA512

    http://www.w3.org/2001/04/xmlenc#sha512

  • MAC

    HMAC-SHA1

    http://www.w3.org/2000/09/xmldsig#hmac-sha1

  • Signature

    DSA with SHA1

    http://www.w3.org/2000/09/xmldsig#dsa-sha1

    Do not use this algorithm if we want our configured application to be in compliance with the Basic Security Profile (BSP)

    RSA with SHA1

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

  • Canonicalization

    Canonical XML (with comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

    Canonical XML (without comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315

    Exclusive XML canonicalization (with comments)

    http://www.w3.org/2001/10/xml-exc-c14n#WithComments

    Exclusive XML canonicalization (without comments)

    http://www.w3.org/2001/10/xml-exc-c14n#

  • Transform

    STR transform

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform

    XPath

    http://www.w3.org/TR/1999/REC-xpath-19991116

    Do not use the original XPATH transform if we want our configured application to be in compliance with the Basic Security Profile (BSP).

    When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

    Enveloped signature

    http://www.w3.org/2000/09/xmldsig#enveloped-signature

    XPath Filter2

    http://www.w3.org/2002/06/xmldsig-filter2

    When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

    Decryption transform

    http://www.w3.org/2002/07/decrypt#XML

Signature signed parts for JAX-RPC only

  • WAS key words:

    • body, which signs the SOAP message body
    • timestamp, which signs all of the time stamps
    • securitytoken, which signs all of the security tokens
    • dsigkey, which signs the signing key
    • enckey, which signs the encryption key
    • messageid, which signs the wsa :MessageID element in WS-Addressing.
    • to, which signs the wsa:To element in WS-Addressing
    • action, which signs the wsa:Action element in WS-Addressing
    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

    • wscontext, which specifies the WS-Context header for the SOAP header.
    • wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.
    • wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.
    • wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.
    • wsaall, which specifies all of the WS-Addressing elements in the SOAP header.

  • XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Signature message parts for JAX-WS only

  • Body (which signs the SOAP message body)
  • Header (which signs one or more SOAP headers within the main SOAP header)
  • XPath expression to select an XML element in a SOAP message.

    • For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Encryption EncryptedHeader element
Encryption algorithms

Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

  • Data encryption

    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

      Do not use the 192-bit data encryption algorithm if we want our configured application to be in compliance with the Basic Security Profile (BSP).

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Key encryption

    • Key transport (public key cryptography)

      • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

        • When running with SDK v1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK v1.5.

        • Use of the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine does not support this transport algorithm.

      • RSA v1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5

    • Symmetric key wrap (private key cryptography)

      • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
      • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
      • AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

        Do not use the 192-bit data encryption algorithm if we want our configured application to be in compliance with the Basic Security Profile (BSP).

      • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core

    • xenc:ReferenceList
    • xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, IBM recommends that we use AES, if possible, for symmetric key encryption.

Encryption message parts for JAX-RPC only

  • WAS keywords

    • bodycontent, which is used to encrypt the SOAP body content
    • usernametoken, which is used to encrypt the username token
    • digestvalue, which is used to encrypt the digest value of the digital signature
    • signature, which is used to encrypt the entire digital signature
    • wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header.

  • XPath expression to select the XML element in the SOAP message

    • XML elements
    • XML element contents

Encryption message parts for JAX-WS only

  • Body (which encrypts the SOAP message body content)
  • Header (which encrypts one or more SOAP headers within the main SOAP header, resulting in the EncryptedHeader element)
  • XPath expression to select an XML element in a SOAP message

    • For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Time stamp

  • Within Web Services Security header
  • WAS is extended to allow us to insert time stamps into other elements so the age of those elements can be determined.

Error handling SOAP faults

  • New failure SOAP fault with faultcode
  • The message has expired text has been added


OASIS: Web Services Security UsernameToken Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WAS.

Aspects of OASIS Username Token Profile V1.0 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference


OASIS: Web Services Security UsernameToken Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WAS. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.

Aspects of OASIS Username Token Profile V1.1 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference


OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that are supported in WAS Versions 6 and later.

Aspects of OASIS X.509 Certificate Token V1.0 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Token types

  • X.509 v3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 v3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 v3: PKCS7 with or without CRLs. The IBM SDK supports both. The Sun Java SE Development Kit 6 (JDK 6) supports PKCS7 without CRL only.

Token references

  • Key identifier – subject key identifier
  • Direct reference
  • Custom reference – issuer name and serial number


OASIS: Web Services Security X.509 Certificate Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that are supported in WAS. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.

Aspects of OASIS X.509 Certificate Token V1.1 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Token types X.509 v1: Single certificate
Token references Key identifier – subject key identifier

  • Can only reference an X.509v3 certificate
  • Can specify the thumbprint of the specified certificate using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.


OASIS: Web Services Security Kerberos Token Profile 1.1

The following table shows the aspects of the OASIS: Web Services Security Kerberos Token Profile 1.1 specification that are supported in WAS.

Aspects of OASIS Kerberos Token Profile standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Token types

  • GSS_API Kerberos v5 token

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

  • GSS_API Kerberos v5 token per RFC1510

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

  • GSS_API Kerberos v5 token per RFC4120

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

  • Kerberos v5 token

    http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerberosv5_AP_REQ

  • Kerberos v5 token per RFC1510

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510

  • Kerberos v5 token per RFC4120

    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ412

Token references

  • Security token reference
  • Key identifier, which is used after the initial Kerberos v5 token is consumed
  • Derived key token based on the Kerberos key


OASIS: Web Services Security WS-Secure Conversation Draft and v1.3

The following table shows the aspects of the OASIS: WS-SecureConversation specification that are supported in WAS v6.1 Feature Pack for Web Services, and later. Support for v1.3 of the specification is provided in WAS v7.0 and later.

Aspects of OASIS SecureConversation standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Token types

  • Security Context Token draft version: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
  • Security Context Token v1.3: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

Token references Direct reference
Security context establishment Security context token created by a security token service that is embedded in the WAS.
Renewing context Automatic renewal of the token when its about to expire.
Cancelling context Explicit cancel request support.
Derived keys The following information is used to derive the keys using a shared secret from a security context:

  • /wsc:DerivedKeyToken/wsse:SecurityTokenReference
  • /wsc:DerivedKeyToken/wsc:Label
  • /wsc:DerivedKeyToken/wsc:Nonce
  • /wsc:DerivedKeyToken/wsc:Length

Error handling SOAP faults, including:

  • wsc:BadContextToken
  • wsc:UnsupportedContextToken
  • wsc:RenewNeeded
  • wsc:UnableToRenew


OASIS: Web Services Security WS-Trust v1.0 Draft and v1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust v1.0 Draft and v1.3 specifications that are supported in WAS v6.1 Feature Pack for Web Services, and later.

Aspects of OASIS Trust V1.0 and V1.3 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Namespace http://schemas.xmlsoap.org/ws/2005/02/trust
Request header /wsa:Action

Valid options include:

  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate

Request elements and attributes

/wst:RequestSecurityToken

/wst:RequestSecurityToken/@Context

/wst:RequestSecurityToken/wst:RequestType

  • Valid options include:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
    • http://schemas.xmlsoap.org/ws/2005/02/trust/Validate

/wst:RequestSecurityToken/wst:TokenType

  • Valid options include:

    • for http://schemas.xmlsoap.org/ws/2005/02/sc/sct

      • /wst:RequestSecurityToken/wsp:AppliesTo
      • /wst:RequestSecurityToken/wst:Entropy
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

    • for http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

      • /wst:RequestSecurityToken/wst:Lifetime
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
      • /wst:RequestSecurityToken/wst:KeySize
      • /wst:RequestSecurityToken/wst:KeyType

    • for http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

      • /wst:RequestSecurityToken/wst:RenewTarget
      • /wst:RequestSecurityToken/wst:Renewing
      • /wst:RequestSecurityToken/wst:Renewing/@Allow
      • /wst:RequestSecurityToken/wst:Renewing/@OK
      • /wst:RequestSecurityToken/wst:CancelTarget
      • /wst:RequestSecurityToken/wst:ValidateTarget
      • /wst:RequestSecurityToken/wst:Issuer

Response header /wsa:Action

Valid options include:

  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
  • http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate

Response elements and attributes

/wst:RequestSecurityTokenResponse

/wst:RequestSecurityTokenResponse/@Context

/wst:RequestSecurityTokenResponse/wst:TokenType

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wsp:AppliesTo

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken

/wst:RequestSecurityTokenResponse/wst:Entropy

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type

/wst:RequestSecurityTokenResponse/wst:Lifetime

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey

/wst:RequestSecurityTokenResponse/wst:KeySize

/wst:RequestSecurityTokenResponse/wst:Renewing

/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow

/wst:RequestSecurityTokenResponse/wst:Renewing/@OK

/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled

/wst:RequestSecurityTokenResponse/wst:Status

/wst:RequestSecurityTokenResponse/wst:Status /wst:RequestSecurityTokenResponse/wst:Status/wst:Code

  • Valid responses include:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
    • http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid

/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason

Error handling

wst:InvalidRequest

wst:FailedAuthentication

wst:RequestFailed

wst:InvalidSecurityToken

wst:AuthenticationBadElements

wst:BadRequest

wst:ExpiredData

wst:InvalidTimeRange

wst:InvalidScope

wst:RenewNeeded

wst:UnableToRenew

Aspects of OASIS Trust V1.3 standard supported in WAS. Use the table to determine which aspects of the OASIS standard are supported.

Supported topic Specific aspect that is supported
Namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512
Request header /wsa:Action

Valid options include:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate

Request elements and attributes

/wst:RequestSecurityToken

/wst:RequestSecurityToken/@Context

/wst:RequestSecurityToken/wst:RequestType

  • Valid options include:

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchRenew
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchCancel
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchValidate

/wst:RequestSecurityToken/wst:TokenType

  • Valid options include:

    • for http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

      • /wst:RequestSecurityToken/wsp:AppliesTo
      • /wst:RequestSecurityToken/wst:Entropy
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret
      • /wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

    • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce

      • /wst:RequestSecurityToken/wst:Lifetime
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Created
      • /wst:RequestSecurityToken/wst:Lifetime/wsu:Expires
      • /wst:RequestSecurityToken/wst:KeySize
      • /wst:RequestSecurityToken/wst:KeyType

    • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

      • /wst:RequestSecurityToken/wst:RenewTarget
      • /wst:RequestSecurityToken/wst:Renewing
      • /wst:RequestSecurityToken/wst:Renewing/@Allow
      • /wst:RequestSecurityToken/wst:Renewing/@OK
      • /wst:RequestSecurityToken/wst:CancelTarget
      • /wst:RequestSecurityToken/wst:ValidateTarget
      • /wst:RequestSecurityToken/wst:Issuer

Response header /wsa:Action

Valid options include:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/CancelFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/RenewFinal
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/ValidateFinal

Response elements and attributes

/wst:RequestSecurityTokenResponse

/wst:RequestSecurityTokenResponse/@Context

/wst:RequestSecurityTokenResponse/wst:TokenType

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wsp:AppliesTo

/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken

/wst:RequestSecurityTokenResponse/wst:RequestedAttachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedUnattachedReference

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken

/wst:RequestSecurityTokenResponse/wst:Entropy

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret

/wst:RequestSecurityTokenResponse/wst:Entropy/wst:BinarySecret/@Type

/wst:RequestSecurityTokenResponse/wst:Lifetime

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Created

/wst:RequestSecurityTokenResponse/wst:Lifetime/wsu:Expires

/wst:RequestSecurityTokenResponse/wst:RequestedProofToken/wst:ComputedKey

/wst:RequestSecurityTokenResponse/wst:KeySize

/wst:RequestSecurityTokenResponse/wst:Renewing

/wst:RequestSecurityTokenResponse/wst:Renewing/@Allow

/wst:RequestSecurityTokenResponse/wst:Renewing/@OK

/wst:RequestSecurityTokenResponse/wst:RequestedTokenCancelled

/wst:RequestSecurityTokenResponse/wst:Status

/wst:RequestSecurityTokenResponse/wst:Status/wst:Code

  • Valid responses include:

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid

/wst:RequestSecurityTokenResponse/wst:Status/wst:Reason

Error handling

wst:InvalidRequest

wst:FailedAuthentication

wst:RequestFailed

wst:InvalidSecurityToken

wst:AuthenticationBadElements

wst:BadRequest

wst:ExpiredData

wst:InvalidTimeRange

wst:InvalidScope

wst:RenewNeeded

wst:UnableToRenew


Functionality not supported by WAS

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS v6 and later:


Unsupported function for WS-Trust v1.0 Draft and v1.3

The following tables show the aspects of the OASIS: Web Services Security: WS-Trust v1.0 Draft and v1.3 specifications that are not supported in WAS v6.1 Feature Pack for Web Services, and later.

Aspects of OASIS Trust V1.0 and V1.3 standard that are unsupported in WAS. Use the table to determine which aspects of the OASIS standard are not supported.

Unsupported topic Specific aspect not supported
Elements and attributes

/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

Unsupported request options:

  • for http://schemas.xmlsoap.org/ws/2005/02/trust/AsymmetricKey and http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

    • /wst:RequestSecurityToken/wst:Claims
    • /wst:RequestSecurityToken/wst:AllowPostdating
    • /wst:RequestSecurityToken/wst:OnBehalfOf
    • /wst:RequestSecurityToken/wst:AuthenticationType
    • /wst:RequestSecurityToken/wst:KeyType

  • for http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

    • /wst:RequestSecurityToken/wst:SignatureAlgorithm
    • /wst:RequestSecurityToken/wst:EncryptionAlgorithm
    • /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
    • /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
    • /wst:RequestSecurityToken/wst:Encryption
    • /wst:RequestSecurityToken/wst:ProofEncryption
    • /wst:RequestSecurityToken/wst:UseKey
    • /wst:RequestSecurityToken/wst:UseKey/@Sig
    • /wst:RequestSecurityToken/wst:SignWith
    • /wst:RequestSecurityToken/wst:EncryptWith
    • /wst:RequestSecurityToken/wst:DelegateTo
    • /wst:RequestSecurityToken/wst:Forwardable
    • /wst:RequestSecurityToken/wst:Delegatable
    • /wst:RequestSecurityToken/wsp:Policy
    • /wst:RequestSecurityToken/wsp:PolicyReference

Response elements and attributes

/wst:RequestSecurityTokenResponseCollection

/wst:RequestSecurityTokenResponseCollection/wst:RequestSecurityTokenResponse

Aspects of OASIS Trust V1.3 standard that are unsupported in WAS. Use the table to determine which aspects of the OASIS standard are not supported.

Unsupported topic Specific aspect not supported
Elements and attributes

/wst:RequestSecurityToken/wst:Entropy/wst:BinarySecret/@Type

Unsupported request options:

  • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

    • /wst:RequestSecurityToken/wst:Claims
    • /wst:RequestSecurityToken/wst:AllowPostdating
    • /wst:RequestSecurityToken/wst:OnBehalfOf
    • /wst:RequestSecurityToken/wst:AuthenticationType
    • /wst:RequestSecurityToken/wst:KeyType

  • for http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey and http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer

    • /wst:RequestSecurityToken/wst:SignatureAlgorithm
    • /wst:RequestSecurityToken/wst:EncryptionAlgorithm
    • /wst:RequestSecurityToken/wst:CanonicalizationAlgorithm
    • /wst:RequestSecurityToken/wst:ComputedKeyAlgorithm
    • /wst:RequestSecurityToken/wst:Encryption
    • /wst:RequestSecurityToken/wst:ProofEncryption
    • /wst:RequestSecurityToken/wst:UseKey
    • /wst:RequestSecurityToken/wst:UseKey/@Sig
    • /wst:RequestSecurityToken/wst:SignWith
    • /wst:RequestSecurityToken/wst:EncryptWith
    • /wst:RequestSecurityToken/wst:DelegateTo
    • /wst:RequestSecurityToken/wst:Forwardable
    • /wst:RequestSecurityToken/wst:Delegatable
    • /wst:RequestSecurityToken/wsp:Policy
    • /wst:RequestSecurityToken/wsp:PolicyReference

Response header

/wsa:Action

Unsupported Responses:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate


Related concepts:

WS-MetadataExchange requests
Encrypted SOAP headers
Signature confirmation
Basic Security Profile compliance tips


Related


Enable MTOM for JAX-WS web services


Reference:

Encryption information configuration settings: Message parts


+

Search Tips   |   Advanced Search