Securing applications using message level security for Web services

Web services security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a Web services environment.

Before you begin

The Organization for the Advancement of Structured Information Standards (OASIS) Web services security (WS-Security) specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. WebSphere® Application Server Version 7 supports Version 1.1 of the Web Services Security specification, including features such as encrypted header, thumbprint and signature configuration, username token profile and X.509 token profile. In addition, limited security scenario support is provided for the Kerberos Version 1.1 token profile, WS-SecureConversation Version 1.3, WS-Trust Version 1.3, and WS-SecurityPolicy Version 1.2.

About this task

To secure Web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies in heterogeneous environments. The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.

The Web Services Security SOAP Message Security 1.1 specification outlines a standard set of SOAP 1.1 extensions that you can use to build secure Web services. These standards provide integrity and confidentiality protection, which are generally implemented with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the SOAP Message Security 1.1 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.

It is important to note that while Web services security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, Web services security cannot be used to protect SOAP fault messages.

Compatibility between WS-Security Draft 13 and WS-Security standard Versions 1.0 and 1.1

The WS-Security standard has evolved over the years, from a draft to an OASIS standard. WebSphere Application Server Version 5.02 introduced support for the WS-Security Draft 13, and support for WS-Security 1.0 was introduced beginning with WebSphere Application Server Version 6.0. WS-Security Version 1.1 is supported by WebSphere Application Server Version 6.1 Feature Pack for Web Services, using the JAX-WS runtime only. The topic Web services security specification - a chronology provides more details about the evolution of this support.

It is important to note that a WS-Security Draft 13 client is not compatible with providers that use WS-Security Version 1.0 or Version 1.1. You must use Draft 13 client to communicate with a Draft 13 Web services provider. You cannot use a Draft 13 client to communicate with a WS-Security Version 1.0 provider, or a Version 1.1 provider. This issue arises because the SOAP message format for the WS-Security header and namespace is different between a WS-Security Draft 13–enabled application and a WS-Security Version 1.0 or Version 1.1–enabled application.

The version of the WS-Security standard that is used also has implications for the required version of the Java™ Platform, Enterprise Edition (Java EE) application:
  • Java EE Version 1.3 is used only with WS-Security Draft 13.
  • Java EE Version 1.4 and later is used with WS-Security Version 1.0 (JAX-RPC and JAX-WS), and also WS-Security Version 1.1 (JAX-WS).

The following diagram illustrates these compatibility considerations:

Interaction of various Web services runtimes with J2EE

To secure Web services with WebSphere Application Server, you must specify several different configurations. Although there is not a specific sequence in which you must specify these different configurations, some configurations reference other configurations. See Web services security configuration considerations.

Because of the relationship between the different Web services security configurations, it is recommended that you specify the configurations on each level of the configuration in the order described by the following sections. You can choose to configure Web services security for the application level or the server level as it depends upon your environment and security needs.

Procedure




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 11:50:58 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-base-iseries&topic=twbs_securev6wss
File name: twbs_securev6wss.html