Configuring Web Services Security using the WSS APIs
The Web Services Security application programming interfaces (WSS API) provide support for securing SOAP message.
Before you begin
Web Service Security supports the following programming models:
- Programming API for securing SOAP message with Web Services Security
(WSS API).
The API programming model design has been redesigned. The new design is an interface-based programming model and is based on Web Services Security Version 1.1 standards but the design also includes support for Web Services Security Version 1.0 for securing the SOAP message. The WSS API programming model implementation is a simplified version, which is based on an early draft proposal of JSR-183, which is the JSR for defining Java™ API binding for Web Services Security. By design, because the application code is programmed to the interface, any application code that is programmed with the open source implementation should be able to run on the WebSphere® Application Server with minimal changes or no changes at all.
- Service Programming Interfaces (SPI) for a service provider
Similarly, the Web Services Security run time token generation and token consuming SPI have been redesign so that the same security token interface and JAAS Login Module implementation can be used for both the WSS API and the SPI. The WSS SPI for the service provider extend the security token types and provide keys and deriving keys for signing, signature verification, encryption and decryption.
About this task
- Security token types and deriving keys for signing
- Signature and verification
- Encryption and decryption
The following figure demonstrates how to use the simplified WSS APIs to secure a SOAP message by using XML digital signature and XML encryption.
The configuration model for web services has also been redesigned from a deployment descriptor model to a policy set model. The configuration programming model is based on configuring policy sets using a security policy to specify security constraints.
The functions provided by the policy set configurations are the same as the functions supported by the WSS API for the Web Services Security run time. However, the security policy that is defined using policy sets has a higher priority over the WSS API. When the WSS API and the policy set are both used in the application, the default behavior is for the security policy from the policy set to be enforced and the WSS API to be ignored. To use the WSS API in the application, you must make sure that there is no policy set attached to the application or to the application resources, or make sure there is no security policy in the attached policy set.
Web Service Security can be enabled by either using a policy set that is configured by using the administrative console, or by using the WSS API for configuration.
Using the WSS API, complete the following high-level steps to secure the SOAP message:
Procedure
Results
What to do next
The Web Services Security run time token generation and token consuming Service Programming Interfaces (SPI) have been redesign so that the same Security Token interface and JAAS Login Module implementation can be used in both the WSS API and the SPI. See the SPI information for detail descriptions.