Developing message-level security for JAX-WS
web services
JAX-WS applications can be secured
with Web Services Security
in one of two ways. The application can be secured using policy sets,
or through the use of the Web Services Security API (WSS API). The
WSS API can only be used to secure a JAX-WS client application. The
Web Services Security service programming interface (WSS SPI) provides
additional programming interfaces for securing web services.
Web Services Security API programming model
The application server programming model provides Web Services Security programming application programming interfaces (WSS API) for securing SOAP messages.
Developing SAML applications
Use the SAML library application programming interface (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. The SAML trust client API provides helper functions that send WS-Trust SOAP requests to the specified external Security Token Service (STS).
Using Web Services Security SPIs
You can use the GenericSecurityTokenFactory SPIs to create security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, JAAS login modules, and custom security tokens.
Securing web services applications using the WSS APIs at the message level
Standards and profiles address how to provide protection for messages that are exchanged in a web service environment. Web Services Security is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
Developing JAX-WS based web services client applications that retrieve security tokens
The security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers.
Developing JAX-WS based web services server applications that retrieve security tokens
With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java™ Platform, Enterprise Edition (Java EE) container. The consumer component for Web Services Security stores the security tokens that it receives in the Java Authentication and Authorization Service (JAAS) Subject of the current thread. You can retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.