The Web services security constraints are specified in
the IBM extension of the Web services deployments descriptors and
bindings. The Web services security run time enforces the security
constraints specified in the deployment descriptors.
newfeat Best practice: The WebSphere® Application Server Version 6.1
Feature Pack for Web Services extends the capabilities of this product
to introduce support for the Java API for XML-Based Web Services (JAX-WS) 2.0 programming model.
JAX-WS is the next generation Web services programming model complimenting
the foundation provided by the Java API for XML-based RPC (JAX-RPC) programming model. Using the strategic
JAX-WS programming model, development of Web services and clients
is simplified through support of a standards-based annotations model.
Although the JAX-RPC programming model and applications are still
supported, take advantage of the easy-to-implement JAX-WS programming
model to develop new Web services applications and clients. bprac
WebSphere Application Server Version 6 and later use the Java 2
Platform, Enterprise Edition (J2EE) Version 1.4 Web services deployment
model to implement Web services security. One of the advantages of
deployment model is that you can define the Web services security
requirements outside of the application business logic. With the separation
of roles, the application developer can focus on the business logic
and the security expert can specify the security requirement.
The following figure shows the high-level architecture model that
is used to secure Web services in WebSphere Application Server Version
6.

The deployment descriptor and binding for Web services security
is based on Web service ports. Each Web service port can have its
own unique Web services security constraints defined. For example,
you might configure Web service port A to sign the SOAP body and the
Username token. You might configure Web service port B to encrypt
the SOAP body content and so on.
As shown in the previous figure, there are 2 sets of configurations
on both the client side and the server side:
- Request generator
- This client-side configuration defines the Web services security
requirements for the outgoing SOAP message request. These requirements
might involve generating a SOAP message request that uses a digital
signature, incorporates encryption, and attaches security tokens.
In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the
request generator was known as the request sender.
- Request consumer
- This server-side configuration defines the Web services security
requirements for the incoming SOAP message request. These requirements
might involve verifying that the required integrity parts are digitally
signed; verifying the digital signature; verifying that the required
confidential parts were encrypted by the request generator; decrypting
the required confidential parts; validating the security tokens, and
verifying that the security context is set up with the appropriate
identity. In WebSphere Application Server Versions 5.0.2, 5.1, and
5.1.1, the request consumer was known as the request receiver.
- Response generator
- This server-side configuration defines the Web services security
requirements for the outgoing SOAP message response. These requirements
might involve generating the SOAP message response with Web services
security; including digital signature; and encrypting and attaching
the security tokens, if necessary. In WebSphere Application Server
Versions 5.0.2, 5.1, and 5.1.1, the response generator was known as
the response sender.
- Response consumer
- This client-side configuration defines the Web services security
requirements for the incoming SOAP response. The requirements might
involve verifying that the integrity parts are signed and the signature
is verified; verifying that the required confidential parts are encrypted
and that the parts are decrypted; and validating the security tokens.
In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the
response consumer was known as the response receiver.
Note: The Web services security requirements that are defined in the
request generator must match the request consumer. The requirements
that are defined in the response generator must match the response
consumer. Otherwise, the request or response is rejected because the
Web services security constraints cannot be met by the request consumer
and response consumer.
The format of the Web services security deployment descriptors
and bindings are IBM proprietary. However, the following tools are
available to edit the deployment descriptors and bindings:
- Rational Application Developer
- Use this tool to edit the Web services security deployment descriptor
and binding. You can use this tool to assemble both Web and Enterprise
JavaBeans (EJB) modules.
- Application Server Toolkit
- Use this tool to edit the Web services security deployment descriptor
and binding.
- WebSphere Application Server Administrative Console
- Use this tool to edit the Web services security binding of a deployed
application.