WebSphere Application Server Version 6.0.x uses the Java 2 Platform, Enterprise
Edition (J2EE) Version 1.4 Web services deployment model to implement Web
services security. The Web services security constraints are specified in
the IBM extension of the Web services deployments descriptors and bindings.
The Web services security run time enforces the security constraints specified
in the deployment descriptors. One of the advantages of deployment model is
that you can define the Web services security requirements outside of the
application business logic. With the separation of roles, the application
developer can focus on the business logic and the security expert can specify
the security requirement.
The following figure shows the high-level architecture model that is used
to secure Web services in WebSphere Application Server Version 6.0.x.

The deployment descriptor and binding for Web services security is based
on Web service ports. Each Web service port can have its own unique Web services
security constraints defined. For example, you might configure Web service
port A to sign the Simple Object Access Protocol (SOAP) body and the username
token. You might configure Web service port B to encrypt the SOAP body content
and so on.
As shown in the previous figure, there are 2 sets of configurations on
both the client side and the server side:
- Request generator
- This client-side configuration defines the Web services security requirements
for the outgoing SOAP message request. These requirements might involve generating
a SOAP message request that uses a digital signature, incorporates encryption,
and attaches security tokens. In WebSphere Application Server Versions 5.0.2,
5.1, and 5.1.1, the request generator was known as the request sender.
- Request consumer
- This server-side configuration defines the Web services security requirements
for the incoming SOAP message request. These requirements might involve verifying
that the required integrity parts are digitally signed; verifying the digital
signature; verifying that the required confidential parts were encrypted by
the request generator; decrypting the required confidential parts; validating
the security tokens, and verifying that the security context is set up with
the appropriate identity. In WebSphere Application Server Versions 5.0.2,
5.1, and 5.1.1, the request consumer was known as the request receiver.
- Response generator
- This server-side configuration defines the Web services security requirements
for the outgoing SOAP message response. These requirements might involve generating
the SOAP message response with Web services security; including digital signature;
and encrypting and attaching the security tokens, if necessary. In WebSphere
Application Server Versions 5.0.2, 5.1, and 5.1.1, the response generator
was known as the response sender.
- Response consumer
- This client-side configuration defines the Web services security requirements
for the incoming SOAP response. The requirements might involve verifying that
the integrity parts are signed and the signature is verified; verifying that
the required confidential parts are encrypted and that the parts are decrypted;
and validating the security tokens. In WebSphere Application Server Versions
5.0.2, 5.1, and 5.1.1, the response consumer was known as the response receiver.
WebSphere Application Server Version 6.0.x does not include security policy
negotiation or exchange between the client and server. This security policy
negotiation is defined by the WS-Policy, WS-PolicyAssertion, and WS-SecurityPolicy
specifications and are not supported in WebSphere Application Server Version
6.
Note: The Web services security requirements that are defined in the request
generator must match the request consumer. The requirements that are defined
in the response generator must match the response consumer. Otherwise, the
request or response is rejected because the Web services security constraints
can not be met by the request consumer and response consumer.
The format of the Web services security deployment descriptors and bindings
are IBM proprietary. However, the following tools are available to edit the
deployment descriptors and bindings:
- Rational Application Developer Version 6.0.x
- Use this tool to edit the Web services security deployment descriptor
and binding. You can use this tool to assemble both Web and EJB modules.
- Rational Web Developer Version 6.0.x
- Use this tool to edit the Web services security deployment descriptor
and binding. You can use this tool to assemble Web modules only.
- Application Server Toolkit
- Use this tool to edit the Web services security deployment descriptor
and binding.
- WebSphere Application Server Version 6.0.x administrative console
- Use this tool to edit the Web services security binding of
a deployed application.