What is new for securing Web services
In WAS v6.x, there are many security enhancements for Web services. The enhancements include supporting sections of the Web services security specifications and providing architectural support for plugging in and extending the capabilities of security tokens.
Enhancements from the supported Web services security specifications
Since September 2002, the Organization for the Advancement of Structured Information Standards (OASIS) has been developing the Web Services Security (WSS) for SOAP message standard. In April 2004, OASIS released the Web Services security V1.0 specification, which is a major milestone for securing Web services. This specification is the foundation for other Web services security specifications and is also the basis for the Basic Security Profile (WS-I BSP) V1.0 work. Web services security V1.0 is a strategic move towards Web services security interoperability and it is the first step in the Web services security roadmap. For more information on the Web services security roadmap, see Security in a Web Services World: A Proposed Architecture and Roadmap.
WebSphere Application Server v6.x supports the following specifications and profiles:
- OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
- OASIS: Web Services Security: UsernameToken Profile 1.0
- OASIS: Web Services Security X.509 Certificate Token Profile 1.0
For details on what parts of the previous specifications are supported in WAS v6.0.x, see Supported functionality from OASIS specifications.
High level features overview in WebSphere Application Server
v6.xThe Web Services Security for SOAP message V1.0 specification is designed to be flexible and accommodate the requirements of Web services. For example, the specification does not have a mandatory security token definition in the Web services security V1.0 specification. Rather the specification defines a generic mechanism to associate the security token with a SOAP message. The use of security tokens is defined in the various security token profiles such as:
- The username token profile
- The X.509 token profile
- The WS-Security Kerberos token profile
- The Security Assertion Markup Language (SAML) token profile
- The Rights Express Language (REL) token profile
For more information on security token profile development at OASIS, see Organization for the Advancement of Structured Information Standards.
Important: The wire format in the Web services security V1.0 specification changed and is not compatible with the previous drafts of the Web services security specification. It is not possible to make an implementation of the wire format using a previous draft of the Web services security specification to interoperate with the Web Services Security V1.0 specification.
Support for pluggable security tokens has been available since WAS V5.0.2. However, in WAS v6.x, the pluggable architecture is enhanced to support the Web services security V1.0 specification, other profiles, and other Web services security specifications. WAS v6.x includes the following key enhancements:
- Support for the client (sender or generator) to send multiple security tokens in a SOAP message.
- Ability to derive keys from a security token for digital signature (verification) and encryption (decryption).
- Support to sign or encrypt any element in a SOAP message. However, some limitations exist. For example, encrypting some parts of a message might break the SOAP message format. If you encrypt the SOAP body element, the SOAP message format breaks.
- Support for signing the SOAP Envelope, the SOAP Header, and the Web services security header.
- Ability to configure the order of the digital signature and encryption.
- Support for various mechanisms to reference the security tokens such as direct references, key identifiers, key names, and embedded references.
- Support for the PKCS#7 format certificate revocation list (CRL) encoding for an X.509 security token.
- Support for CRL verification.
- Ability to insert nonce and time stamps into elements within the Web services security header, into signed elements, or into encrypted elements.
- Support for identity assertion using the Run As (invocation) identity in the current security context for WebSphere Application Server.
- Support for a default binding, which is a set of default Web services security bindings for applications.
- Ability to use pluggable digital signature (verification) and encryption (decryption) algorithms.
For more information on some of these enhancements, see Web services security enhancements.
Configuration
WebSphere Application Server Version 6 uses the deployment model for implementing the Web services security Version 1.0 specification, the Username token V1.0 profile, and the X.509 token V1.0 profile. The deployment model is an extension of the Web services deployment model for J2EE. The Web services security constraints are defined in the IBM extension deployment descriptor and the binding file based on the Web service port.
The format of the deployment descriptor and the binding file is IBM proprietary material and is not available. However, WAS provides the following tools that use to edit the deployment descriptor and the binding file:
- Rational Application Developer v6.x
- Use Rational Application Developer v6.x to develop Web services and configure the deployment descriptor and the binding file for Web services security. The Rational Application Developer enables you to assemble both Web and EJB modules.
- Rational Web Developer v6.x
- Use Rational Web Developer v6.x to develop Web services and configure the deployment descriptor and the binding file for Web services security. However, one cannot assemble EJB modules using this tool. Instead, use the Application Server Toolkit or the Rational Application Developer.
- Application Server Toolkit
- Use the Application Server Toolkit (AST), which is an assembly tool designer for WAS v6.x, to specify the deployment descriptor and the binding file for Web services security.
- WebSphere Application Server Administrative Console
- Use the administrative console to configure the Web services security binding of a deployed application with Web services security constraints defined in the deployment descriptor.
Important: The format of the deployment descriptor and the binding file for Web services security in WebSphere Application Server v6.x is different from WAS Versions 5.0.2, 5.1, and 5.1.1. Web services security support in WAS Versions 5.0.2, 5.1, and 5.1.1 is based on the Web services security draft 13 specification and the username token draft 2 profile. Thus, this support is deprecated. However, applications that you configured using the Web service security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor and binding file can work with WebSphere Application Server 6. These applications use a deployment descriptor and binding file that emit SOAP message security using the draft 13 specification format. The Web services security deployment descriptor and binding file for WebSphere Application Server v6.x is available for a J2EE V1.4 application only. Therefore, the Web services security V1.0 specification is supported for a J2EE V1.4 application only.
To take advantage of implementations associated with the Web services security Version 1.0 specification, :
- Migrate existing applications to J2EE V1.4
- Reconfigure the Web services security constraints in the new deployment descriptor and binding format
Important: An automatic process does not exist for migrating the deployment descriptor and the binding file for Web services security from the v5.0.2, 5.1, and 5.1.1 format to the new v6.0.x format using the Rational Web Developer and Application Server Toolkit. You must migrate the configuration manually.
What is not supported
Web service security is still fairly new and some of the standards are still being defined or standardized. The following functionality is not supported in WebSphere Application Server v6.x:
- Application programming interfaces (API) do not exist for Web services security in WAS v6.0.x. The following standards exist for the Java application programming interface for XML security and Web services security:
- JSR-105 (Java API for XML-Signature XPath Filter V2.0
W3C Recommendation, November 2002
- JSR-106 (Java API for XML Encryption Syntax and Processing)
W3C Recommendation, December 2002
- JSR-183 (Java API for Web Services Security: SOAP Message Security 1.0 specification)
- SAML token profile is not supported out of the box.
- WS-SecuredConversation is not supported out of the box.
- WS-Trust is not supported out of the box.
- WS-SecurityKerberos token profile is not supported out of the box.
- REL token profile is not supported.
- Web services security SOAP messages with an attachments profile (SwA) is not supported.
- WS-I Basic Security Profile V1.0 is not supported.
- Non-Web services container managed client is not supported out of the box.
For information on what is supported for Web services security in WAS v6.x, see Supported functionality from OASIS specifications.
See also
Web services security specification for v6.0.x - a chronology
XML token
Supported functionality from OASIS specifications
See Also
Web services security enhancements