WAS v8.5 > Secure applications > Secure web services > Secure web services

Secure JAX-WS web services using message-level security

Web Services Security standards and profiles address how to provide message-level protection for messages that are exchanged in a web service environment.

Before beginning this task, you must develop and deploy a JAX-WS application.

JAX-WS extends JAX-RPC with support for annotations.

JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The following sections describe both methods.

  1. Learn about Web Services Security

  2. Decide which programming model, JAX-WS or JAX-RPC, works best for securing the web services applications

    This procedure uses JAX-WS.

  3. Configure the security bindings, or migrate an application and associated bindings

  4. Develop and assemble a JAX-WS application

  5. Deploy the JAX-WS application.

  6. Configure and administer the Web Services Security runtime environment.

    Read about signing and encrypting message parts using policy sets to find out how to specify the required message-level protection. The policy specifies what protection will be applied, including which message parts to sign or encrypt, and the token types and algorithms to use. For complete information about policy sets, read about managing policy sets using the dmgr console.

  7. Configure policy sets through metadata exchange (WS-MetadataExchange).

    In WebSphere Application Server v7.0 and later, using JAX-WS, we can enable the Web Services Metadata Exchange (WS-MetadataExchange) protocol so the policy configuration of the service provider is included in the WSDL and is available to a WS-MetadataExchange GetMetadata request. One advantage of using the WS-MetadataExhange protocol is that we can apply message-level security to WS-MetadataExchange GetMetadata requests using a suitable system policy set. Another advantage is the client does not have to match the provider configuration, or have a policy set attached. The client only needs the binding information, and then the client can operate based on the provider policy, or based on the intersection of the client and provider policies. We can configure a service provider to share its policy configuration using the dmgr console. For more information, read the following topics:


Related

Standards and programming models for web services message-level security
Auditing the Web Services Security runtime
JAX-WS default bindings for Web Services Security
Web Services Security API programming model
SPI
Transformation of policy and binding assertions for WSDL
JAX-WS
Web services policy sets
Secure web services using policy sets
Configure the username and password for WS-Security Username or LTPA token authentication
Configure default Web Services Security bindings
Secure web services applications using the WSS APIs at the message level
Secure requests to the trust service using system policy sets
Configure the Kerberos token for Web Services Security
Manage policy sets
Attaching a policy set to a service artifact
Define and manage policy set bindings
Signing and encrypting message parts using policy sets
Configure security for a WS-MetadataExchange request
Configure a service provider to share its policy configuration
Troubleshooting web services
Tune Web Services Security for v8.5 applications
Migration of JAX-WS Web Services Security bindings from v6.1


+

Search Tips   |   Advanced Search