High-level architecture for Web Services Security
The Web Services Security policy is specified in the IBM® extension of the web services deployment descriptors when using the JAX-RPC programming model, and in policy sets when using the JAX-WS programming model. A stand-alone JAX-WS client application may specify Web Services Security policy programmatically. Binding data that supports the Web Services Security policy are stored in the IBM extension of the web services deployment descriptors for both the JAX-RPC and JAX-WS programming models. The Web Services Security run time enforces the security assertions that are specified in the policy document, or in the application program, in that order.

WebSphere Application Server uses the Java Platform, Enterprise Edition (Java EE) Version 1.4 or later web services deployment model to implement Web Services Security. One of the advantages of deployment model is that you can define the Web Services Security requirements outside of the application business logic. With the separation of roles, the application developer can focus on the business logic and the security expert can specify the security requirement.
The following figure shows the high-level architecture model that is used to secure web services in WebSphere Application Server:

The WSS API can also be used to secure the message, as illustrated later in this section:

- Request generator
- This client-side configuration defines the Web Services Security requirements for the outgoing SOAP message request. These requirements might involve generating a SOAP message request that uses a digital signature, incorporates encryption, and attaches security tokens. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the request generator was known as the request sender.
- Request consumer
- This server-side configuration defines the Web Services Security requirements for the incoming SOAP message request. These requirements might involve verifying that the required integrity parts are digitally signed; verifying the digital signature; verifying that the required confidential parts were encrypted by the request generator; decrypting the required confidential parts; validating the security tokens, and verifying that the security context is set up with the appropriate identity. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the request consumer was known as the request receiver.
- Response generator
- This server-side configuration defines the Web Services Security requirements for the outgoing SOAP message response. These requirements might involve generating the SOAP message response with Web Services Security; including digital signature; and encrypting and attaching the security tokens, if necessary. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the response generator was known as the response sender.
- Response consumer
- This client-side configuration defines the Web Services Security requirements for the incoming SOAP response. The requirements might involve verifying that the integrity parts are signed and the signature is verified; verifying that the required confidential parts are encrypted and that the parts are decrypted; and validating the security tokens. In WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1, the response consumer was known as the response receiver.
WebSphere Application Server does not include security policy negotiation or exchange between the client and server. This security policy negotiation, as defined by the WS-Policy, WS-PolicyAssertion, and WS-SecurityPolicy specifications, are not supported in WebSphere Application Server.
- IBM assembly tools
- Use IBM assembly tools to edit the Web Services Security deployment descriptor and binding. Use the tools to assemble both web and Enterprise JavaBeans (EJB) modules. For more information, read about assembly tools.
- WebSphere Application Server Administrative Console
- Use this tool to edit the Web Services Security binding of a deployed application.