WAS v8.5 > Reference > Developer best practices

Web Services Security configuration considerations

To secure web services for WebSphere Application Server, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations.

Best practice: IBM WAS supports the JAX-WS programming model and the (JAX-RPC) programming model. JAX-WS is the next generation web services programming model extending the foundation provided by the JAX-RPC programming model. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although the JAX-RPC programming model and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. best-practices

We can configure Web Services Security on the application level and the server level. The following table shows an example of the relationships between each of the configurations that apply to just the application, to an entire server. However, the requirements for the bindings depend upon the deployment descriptor. Some binding information depends upon other information in the binding or server-level configuration. Within the table, the configurations in the Referenced configurations column are referenced by the configuration listed in the Configuration name column. For example, the token generator on the application-level for the request generator references the collection certificate store, the nonce, time stamp, and callback handler configurations.

The relationship between the configurations.. Use the table to determine the mapping between the configurations and the level of Web Services Security.

Configuration level Configuration name Referenced configurations
Application-level request generator Token generator

Application-level request generator Key information

Application-level request generator Signing information

  • Key information

Application-level request generator Encryption information

  • Key information

Application-level request consumer Token consumer

Application-level request consumer Key information

Application-level request consumer Signing information

  • Key information

Application-level request consumer Encryption information

  • Key information

Application-level response generator Token generator

Application-level response generator Key information

Application-level response generator Signing information

  • Key information

Application-level response generator Encryption information

  • Key information

Application-level response consumer Token consumer

Application-level response consumer Key information

Application-level response consumer Signing information

  • Key information

Application-level response consumer Encryption information

  • Key information

Server-level default generator bindings Token generator

Server-level default generator bindings Key information

Server-level default generator bindings Signing information

  • Key information

Server-level default generator bindings Encryption information

  • Key information

Server-level default consumer bindings Token consumer

Server-level default consumer bindings Key information

Server-level default consumer bindings Signing information

  • Key information

Server-level default consumer bindings Encryption information

  • Key information

When multiple applications will use the same binding information, consider configuring the binding information on the server level. For example, you might have a global key locator configuration used by multiple applications. Configuration information for the application-level precedes similar configuration information on the server-level.


Related concepts:

Programming models for web services message-level security


Reference:

Web Services Security troubleshooting tips


+

Search Tips   |   Advanced Search