The Web Services Security specification defines core facilities for protecting the integrity and confidentiality of a message, and provides mechanisms for associating security-related claims with a message.
Transport-level security is a well-known and often used mechanism to secure HTTP Internet and intranet communications. Transport level security can be used to secure web services messages. Transport-level security functionality is independent from functionality that is provided by message-level security (WS-Security) or HTTP basic authentication.
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint.
Web Services Security standards and profiles address how to provide message-level protection for messages that are exchanged in a web service environment.
Standards and profiles address how to provide protection for messages that are exchanged in a web service environment.
The Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. Using SAML, a client can communicate assertions regarding the identity, attributes, and entitlements of a SOAP message. You can apply policy sets to JAX-WS applications to use SAML assertions in web services messages and in web services usage scenarios. Use SAML assertions to represent user identity and user security attributes, and optionally, to sign and to encrypt SOAP message elements.
You can use the generic security token login modules to issue, validate, and exchange security tokens using an external Security Token Service (STS).