Secure web services using policy sets
Policy sets are assertions about how services are defined. They are used to simplify the quality of service configuration for web services.
Policy sets combine configuration settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, and WS-Security. There are two main types of policy sets;
Application policy are used for business-related assertions. These assertions are related to the business operations defined in the Web Services Description Language (WSDL) file. System policy sets, on the other hand, are used for non-business-related system messages. These messages are not related to the business operations defined in the WSDL, but instead refer to messages defined in other specifications which apply qualities of service (QoS). Such QoS are the request security token (RST) messages defined in WS-Trust, or create sequence messages defined in WS-Reliable Messaging metadata exchange messages of the WS-MetadataExchange.
Use policy sets only with JAX-WS applications. We cannot use policy sets with JAX-RPC applications.
Policies are defined based on a quality of service. Policy definition is typically based on WS-Policy standard language, for example, the WS-Security policy is based on the current WS-SecurityPolicy from the Organization for the Advancement of Structured Information Standards (OASIS) standards.
Policy sets do not include environment or platform-specific information, such as keys for signing, keystore information, or persistent store information. This type of information is defined in the binding. A policy set attachment defines how a policy set is attached to service resources and bindings. The attachment definition is outside the policy set definition and is defined as meta-data associated with application data.
To secure JAX-WS web services with message-level security using policy sets, follow these steps:
Tasks
- Select, create, or copy and modify a policy set to specify the message-level protection required. The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.
- Select one of the web services policy sets.
- Create, copy, modify, import, export or delete a policy set. For more information, read about managing policy sets using the administrative console
- Attach the policy set to the application.
- Create or select the policy set bindings to be used. The bindings are then attached to the application along with the policy set. The bindings used can either be general bindings that can be shared among applications or application specific bindings. See defining and managing policy set bindings.
- If WS-SecureConversation is being used, specify the trust service system policy sets and bindings on the application server.
Subtopics
- Getting Started: Using a policy set and default bindings to sign and encrypt a message
- Configure a policy set and bindings for a stand-alone security token (UsernameToken or LTPA Token)
- Configure a policy set and bindings to consume an LTPA and/or UsernameToken (optional security tokens)
- Configure a policy set and bindings for XML Digital Signature with client and provider application specific bindings
- Configure a policy set and bindings for Asymmetric XML Digital Signature and/or XML Encryption
- Configure policy set and bindings to encrypt a UsernameToken
- Configure a policy set and bindings for Signer Certificate Encryption
- Configure the key information in JAX-WS WS-Security bindings
- Configure the username and password for WS-Security Username or LTPA token authentication
- Enable or disable single sign-on interoperability mode for the LTPA token
Related:
JAX-WS Web services policy sets Secure requests to the trust service using system policy sets Manage policy sets Attaching a policy set to a service artifact Define and manage policy set bindings