Web Services Security support

IBM® supports Web Services Security, which is an extension of the IBM Web services engine, to provide a quality of service. The WebSphere® Application Server security infrastructure fully integrates Web Services Security with the Java Platform, Enterprise Edition (Java EE) security specification.

Important: There is an important distinction between Version 5.x and Version 6.0.x and later applications. The information supports Version 5.x applications only that are used with WebSphere Application Server Version 6.0.x and later. The information does not apply to Version 6.0.x and later applications.

WebSphere Application Server, Versions 4.x, 5, and 5.0.1 support digital signature for Apache SOAP Version 2.x. Beginning with WebSphere Application Server, Version 5.0.2, IBM supports Web Services Security. The IBM implementation is based on the Web Services Security specification, Web Services Security (WS-Security), originally proposed by IBM, Microsoft, and VeriSign in April 2002. Early versions of the proposed draft specification can be found in Web Services Security (WS-Security) Version 1.0 05 April 2002 and Web Services Security Addendum 18 August 2002. The WebSphere Application Server implementation is based on the Organization for the Advancement of Structured Information Standards (OASIS) working Draft 13 specification. (See the OASIS Web Services Security TC website for the latest working specification.) However, not all the features in the OASIS working Draft 13 specification are implemented.

Web Services Security is not supported in a pure Java client or a nonmanaged client. When a user ID and password are embedded in a request message, authentication is performed with the user ID and password. If authentication is successful, a user identity is established and further resource access is authorized based on that identity. After the user ID and password are authenticated by the Web Services Security run time, a Java EE container performs authorization.

The following table provides a summary of Web Services Security elements supported by WebSphere Application Server:
Table 1. Supported Web Services Security elements. Use the table to determine which security elements are supported.
Element Notes®
UsernameToken Both the user name and password for the BasicAuth authentication method and the user name for the identity assertion authentication method are supported. WebSphere Application Server supports nonce, a randomly generated value.
BinarySecurityToken X.509 certificates and Lightweight Third Party Authentication (LTPA) can be embedded, but there is no implementation to embed Kerberos tickets. However, the binary token generation and validation are pluggable and are based on the Java Authentication and Authorization Service (JAAS) Application Programming Interfaces (APIs). You can extend this implementation to generate and validate other types of binary security tokens.
Signature The X.509 certificate is embedded as a binary security token and can be referenced by the SecurityTokenReference. WebSphere Application Server does not support shared, key-based signature.
Encryption Both the EncryptedKey and ReferenceList XML tags are supported. KeyIdentifier specifies public keys and KeyName identifies the secret keys. WebSphere Application Server has the capability to map an authenticated identity to a key for encryption or use the signer certificate to encrypt the response message.
Time stamp WebSphere Application Server supports the Created and Expires attributes. The freshness of the message, which indicates whether the message complies with predefined time constraints, is checked only if the Expires attribute is present in the message. WebSphere Application Server does not support the Received attribute, which is defined in the addendum. Instead, WebSphere Application Server uses the TimestampTraceReceived attribute, which is defined in the OASIS specification.
XML-based token You can insert and validate an arbitrary format of XML tokens into a message. This format mechanism is based on the JAAS APIs.
Signing and encrypting attachments is not supported by WebSphere Application Server. However, WebSphere Application Server signs and encrypts the following elements for the request message.
Table 2. Elements that are signed and encrypted for the request message. The elements are used to perform authentication.
Method Element
XML digital signature
  • Body
  • Securitytoken
  • Timestamp
XML encryption
  • Bodycontent
  • Usernametoken
AuthMethod
  • BasicAuth
  • IDAssertion (from WebSphere Application Server to another WebSphere Application Server
  • Signature
  • Lightweight Third Party Authentication (LTPA) on the server side
  • Other customer tokens
WebSphere Application Server signs and encrypts the following elements for the response message:
Table 3. Elements that are signed and encrypted for the response message. The elements are used to perform authentication.
Method Element
XML digital signature
  • Body
  • Timestamp
XML encryption
  • Bodycontent
WebSphere Application Server provides the following capabilities for Web Services Security:
  • Integrity of the message
  • Authenticity of the message
  • Confidentiality of the message
  • Privacy of the message
  • Transport level security: provided by Secure Sockets Layer (SSL)
  • Security token propagation (pluggable)
  • Identity assertion
The following namespaces are used for sending a message:
OASIS Web Services Security: SOAP Message Security Working Draft 13, May 2003
http://schemas.xmlsoap.org/ws/2003/06/secext

http://schemas.xmlsoap.org/ws/2003/06/utility

OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd

http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd

Table 4. Namespaces summary. This table summarizes the namespaces that are used to send and receive messages
Run time Send Receive
JAX-RPC draft 13 OASIS draft 13 OASIS draft 13
JAX-RPC OASIS wssec 1.0 OASIS wssec 1.0

OASIS draft 13

JAX-WS OASIS wssec 1.1

OASIS wssec 1.0

OASIS wssec 1.1

OASIS wssec 1.0

OASIS draft13

The Web services security run time in WebSphere Application Server cannot accept any of the following namespaces:
April 2002 specification
http://schemas.xmlsoap.org/ws/2002/04/secext
August 2002 addendum
http://schemas.xmlsoap.org/ws/2002/07/secext

http://schemas.xmlsoap.org/ws/2002/07/utility

Refer to the Web Services Security elements table for a description of capabilities that are not supported.

Reference topic    

Terms and conditions for information centers | Feedback

Last updated: April 17, 2014 04:48 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-iseries&topic=rwbs_wssecurityws
File name: rwbs_wssecurityws.html