Web Services Security model in WebSphere Application Server
The Web Services Security model used by WebSphere® Application Server is the declarative model. WebSphere Application Server does not include any application programming interfaces (APIs) for programmatically interacting with Web Services Security. However, a few Server Provider Interfaces (SPIs) are available for extending some security-related behaviors.
Important: There is an important distinction between Version
5.x and Version 6 and later applications. The information supports
Version 5.x applications only that are used with WebSphere Application
Server Version 6.0.x and later. The information does not apply
to Version 6 and later applications.
Figure 1. Web Services Security model

The security constraints for Web Services Security are specified
in IBM® deployment descriptor extensions for Web
services. The Web Services Security run time acts on the constraints
to enforce Web Services Security for the SOAP message. The scope of
the IBM deployment descriptor extension is at the
enterprise bean (EJB) or web module level. Bindings are associated
with each of the following IBM deployment descriptor extensions:
- Client (Might be either a Java™ Platform, Enterprise Edition (Java EE) client (application client container) or web services acting as a client)
- ibm-webservicesclient-ext.xmi
- ibm-webservicesclient-bnd.xmi
- Server
- ibm-webservices-ext.xmi
- ibm-webservices-bnd.xmi
It is recommended that you use the assembly tools provided by IBM to create the IBM deployment descriptor extension and bindings. After the bindings are created, you can use the administrative console or an assembly tool to specify the bindings.
Important: The binding information is collected after
application deployment rather than during application deployment.
The alternative is to specify the required binding information before
deploying your application.
Figure 2. Web Services Security message interpretation

The Web Services Security run time enforces Web Services Security
based on the defined security constraints in the deployment descriptor
and binding files. Web Services Security has the following four points
where it intercepts the message and acts on the security constraints
defined:
Message points | Description |
---|---|
Request sender (defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files) |
|
Request receiver (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files) |
|
Response sender (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files) |
|
Response receiver (defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi files) |
|