Developing message-level security for JAX-WS web services

JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The Web Services Security service programming interface (WSS SPI) provides additional programming interfaces for securing web services.

  • Web Services Security API programming model

    The application server programming model provides Web Services Security programming application programming interfaces (WSS API) for securing SOAP messages.

  • Service Programming Interfaces (SPI)

    The Web Services Security service programming interface (WSS SPI) provides programming interfaces for securing Web Services Security.

  • Developing SAML applications

    Use the SAML library application programming interface (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. The SAML trust client API provides helper functions that send WS-Trust SOAP requests to the specified external Security Token Service (STS).

  • Securing web services applications using the WSS APIs at the message level

    Standards and profiles address how to provide protection for messages that are exchanged in a web service environment. Web Services Security is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.

  • Developing JAX-WS based web services client applications that retrieve security tokens

    The security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers.

  • Developing JAX-WS based web services server applications that retrieve security tokens

    With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java Platform, Enterprise Edition (Java EE) container. The consumer component for Web Services Security stores the security tokens that it receives in the Java Authentication and Authorization Service (JAAS) Subject of the current thread. You can retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 6:15:55 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-express-dist&topic=container_wssec_developing_message_security_jaxws
File name: container_wssec_developing_message_security_jaxws.html