Securing web services with WS-Security
The Web Services Security specification defines core facilities
for protecting the integrity and confidentiality of a message, and
provides mechanisms for associating security-related claims with a
message. Web Services Security, an extension of the IBM web services
engine, provides a quality of service.
Web Services Security concepts
The Web Services Security specification defines core facilities for protecting the integrity and confidentiality of a message, and provides mechanisms for associating security-related claims with a message.
Securing web services applications at the transport level
Transport-level security is a well-known and often used mechanism to secure HTTP Internet and intranet communications. Transport level security can be used to secure web services messages. Transport-level security functionality is independent from functionality that is provided by message-level security (WS-Security) or HTTP basic authentication.
Authenticating web services clients using HTTP basic authentication
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint.
Securing JAX-WS web services using message-level security
Web Services Security standards and profiles address how to provide message-level protection for messages that are exchanged in a web service environment.
Securing JAX-RPC web services using message-level security
Standards and profiles address how to provide protection for messages that are exchanged in a web service environment.
Securing web services using Security Markup Assertion Language (SAML)
The Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. Using SAML, a client can communicate assertions regarding the identity, attributes, and entitlements of a SOAP message. You can apply policy sets to JAX-WS applications to use SAML assertions in web services messages and in web services usage scenarios. Use SAML assertions to represent user identity and user security attributes, and optionally, to sign and to encrypt SOAP message elements.
Authenticating web services using generic security token login modules
You can use the generic security token login modules to issue, validate, and exchange security tokens using an external Security Token Service (STS).
Migrating Web Services Security
You can migrate Web Services Security bindings from an older version to the latest version of WebSphere® Application Server. The product migration function handles most of the migration process, but your input and action is required for specific configurations in order to complete the migration.
Developing applications that use Web Services Security
The Web Services Security specification provides a flexible framework for building secure web services to implement message content integrity and confidentiality. The Web Services Security service programming model supports this flexible framework by providing extension points to integrate new token formats, and methods to obtains keys needed for message protection. The application server programming model provides Web Services Security programming application programming interfaces (WSS API) for securing SOAP messages.
Configuring Web Services Security during application assembly
If you configure Web Services Security with an assembly tool, the Web Services Security binding information is modified
Administering Web Services Security
To secure web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. You can choose to configure Web Services Security for the application level, the server level or the cell level, depending upon your environment and security needs.
Tuning Web Services Security
When using Web Services Security for message-level protection of SOAP message in WebSphere® Application Server, the choice of configuration options can affect the performance of the application.