Securing JAX-WS Web services using message-level security

Web services security standards and profiles address how to provide message-level protection for messages that are exchanged in a Web service environment.

Before you begin

Before you begin this task, you must develop and deploy a JAX-WS application. See the topic "JAX-WS" for more information.

About this task

Java™ API for XML-Based Web Services (JAX-WS) is the next generation Web services programming model complimenting the foundation provided by the Java API for XML-based RPC (JAX-RPC) programming model. Using JAX-WS, development of Web services and clients is simplified with greater platform independence for Java applications through the use of dynamic proxies and Java annotations. JAX-WS simplifies application development through support of a standard, annotation-based model to develop Web service applications and clients. A required part of the Java Platform, Enterprise Edition 5 (Java EE 5), JAX-WS is also known as JSR 224.

JAX-WS applications can be secured with Web services security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The following sections describe both methods.

Securing JAX-WS applications using the WSS API

To secure JAX-WS client applications with message-level security programmatically, using the WSS API, see the topic Securing Web services applications using the WSS APIs at the message level.

Securing JAX-WS applications using policy sets
  1. Read the topic "Signing and encrypting message parts using policy sets" to specify the message-level protection required. The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.
    1. Next, read about signing and encrypting message parts using policy sets.
    2. Specify security tokens using the token type settings, such as:

    For complete information about policy sets, read the topic "Managing policy sets using the administrative console."

  2. Configure the default Web services security bindings.
    1. Configure the token consumer.
    2. Configure the token generator.

    For more information about bindings, read the topic "Defining and managing policy set bindings."

Configuring policy sets through metadata exchange (WS-MetadataExchange)

In WebSphere® Application Server Version 7.0, using JAX-WS, you can enable the Web Services Metadata Exchange (WS-MetadataExchange) protocol so that the policy configuration of the service provider is included in the WSDL and is available to a WS-MetadataExchange GetMetadata request. One advantage of using the WS-MetadataExhange protocol is that you can apply message-level security to WS-MetadataExchange GetMetadata requests by using a suitable system policy set. Another advantage is that the client does not have to match the provider configuration, or have a policy set attached. The client only needs the binding information, and then the client can operate based on the provider policy, or based on the intersection of the client and provider policies. You can configure a service provider to share its policy configuration using the administrative console. For more information, read the following topics:
  • Configuring security for a WS-MetadataExchange request
  • Configuring a service provider to share its policy configuration
  • Transformation of policy and binding assertions for WSDL



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 1:44:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-express-dist&topic=twbs_securews
File name: twbs_securews.html