The Web services security policy is specified in the IBM® extension of the Web services
deployment descriptors when using the JAX-RPC programming model, and
in policy sets when using the JAX-WS programming model. A stand-alone
JAX-WS client application may specify Web Services security policy
programmatically. Binding data that supports the Web Services security
policy are stored in the IBM extension
of the Web services deployment descriptors for both the JAX-RPC and
JAX-WS programming models. The Web Services security run time enforces
the security assertions that are specified in the policy document,
or in the application program, in that order.
Best practice: IBM WebSphere® Application Server supports the Java™ API for XML-Based Web Services (JAX-WS)
programming model and the Java API
for XML-based RPC (JAX-RPC) programming model. JAX-WS is the next
generation Web services programming model extending the foundation
provided by the JAX-RPC programming model. Using the strategic JAX-WS
programming model, development of Web services and clients is simplified
through support of a standards-based annotations model. Although
the JAX-RPC programming model and applications are still supported,
take advantage of the easy-to-implement JAX-WS programming model to
develop new Web services applications and clients. bprac
WebSphere Application
Server uses the Java Platform,
Enterprise Edition (Java EE)
Version 1.4 or later Web services deployment model to implement Web
services security. One of the advantages of deployment model is that
you can define the Web services security requirements outside of the
application business logic. With the separation of roles, the application
developer can focus on the business logic and the security expert
can specify the security requirement.
The following figure shows the high-level architecture model that
is used to secure Web services in WebSphere Application
Server v7.0:

The WSS API can also be used to secure the message, as illustrated
below:

There are two sets of configurations on both the client side and
the server side:
- Request generator
- This client-side configuration defines the Web services security
requirements for the outgoing SOAP message request. These requirements
might involve generating a SOAP message request that uses a digital
signature, incorporates encryption, and attaches security tokens.
In WebSphere Application
Server Versions 5.0.2, 5.1, and 5.1.1, the request generator was known
as the request sender.
- Request consumer
- This server-side configuration defines the Web services security
requirements for the incoming SOAP message request. These requirements
might involve verifying that the required integrity parts are digitally
signed; verifying the digital signature; verifying that the required
confidential parts were encrypted by the request generator; decrypting
the required confidential parts; validating the security tokens, and
verifying that the security context is set up with the appropriate
identity. In WebSphere Application
Server Versions 5.0.2, 5.1, and 5.1.1, the request consumer was known
as the request receiver.
- Response generator
- This server-side configuration defines the Web services security
requirements for the outgoing SOAP message response. These requirements
might involve generating the SOAP message response with Web services
security; including digital signature; and encrypting and attaching
the security tokens, if necessary. In WebSphere Application Server Versions 5.0.2,
5.1, and 5.1.1, the response generator was known as the response
sender.
- Response consumer
- This client-side configuration defines the Web services security
requirements for the incoming SOAP response. The requirements might
involve verifying that the integrity parts are signed and the signature
is verified; verifying that the required confidential parts are encrypted
and that the parts are decrypted; and validating the security tokens.
In WebSphere Application
Server Versions 5.0.2, 5.1, and 5.1.1, the response consumer was known
as the response receiver.
WebSphere Application
Server does not include security policy negotiation or exchange between
the client and server. This security policy negotiation, as defined
by the WS-Policy, WS-PolicyAssertion, and WS-SecurityPolicy specifications,
are not supported in WebSphere Application
Server.
Note: The Web services security requirements that are defined in the
request generator must match the request consumer. The requirements
that are defined in the response generator must match the response
consumer. Otherwise, the request or response is rejected because the
Web services security constraints cannot be met by the request consumer
and response consumer.
The format of the Web services security deployment descriptors
and bindings are IBM proprietary.
However, the following tools are available to edit the deployment
descriptors and bindings:
- IBM assembly tools
- Use IBM assembly tools to
edit the Web services security deployment descriptor and binding.
Use the tools to assemble both Web and Enterprise JavaBeans™ (EJB) modules. For more information,
read about assembly tools.
- WebSphere Application
Server Administrative Console
- Use this tool to edit the Web services security binding of a deployed
application.