Overview of standards and programming models for web services message-level security

Web Services Security standards

The Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security (WS-Security) specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web Services Security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. WebSphere® Application Server supports Version 1.1 of the Web Services Security specification, including features such as encrypted header, thumbprint and signature configuration, username token profile and X.509 token profile. In addition, limited security scenario support is provided for the Kerberos Version 1.1 token profile, WS-SecureConversation Version 1.3, WS-Trust Version 1.3, and WS-SecurityPolicy Version 1.2.

The Web Services Security SOAP Message Security 1.1 specification outlines a standard set of SOAP 1.1 extensions that you can use to build secure web services. These standards provide integrity and confidentiality protection, which are generally implemented with digital signature and encryption technologies. In addition, Web Services Security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web Services Security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the SOAP Message Security 1.1 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.

It is important to note that while Web Services Security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, Web Services Security cannot be used to protect SOAP fault messages.

Compatibility between WS-Security Draft 13 and WS-Security standard Versions 1.0 and 1.1

The WS-Security standard has evolved over the years, from a draft to an OASIS standard. WebSphere Application Server Version 5.02 introduced support for the WS-Security Draft 13, and support for WS-Security 1.0 was introduced beginning with WebSphere Application Server Version 6.0. WS-Security Version 1.1 is supported by WebSphere Application Server Version 6.1 Feature Pack for Web Services, using the JAX-WS runtime only. The topic Web Services Security specification - a chronology provides more details about the evolution of this support.

It is important to note that a WS-Security Draft 13 client is not compatible with providers that use WS-Security Version 1.0 or Version 1.1. You must use Draft 13 client to communicate with a Draft 13 web services provider. You cannot use a Draft 13 client to communicate with a WS-Security Version 1.0 provider, or a Version 1.1 provider. This issue arises because the SOAP message format for the WS-Security header and namespace is different between a WS-Security Draft 13–enabled application and a WS-Security Version 1.0 or Version 1.1–enabled application.

The following diagram illustrates these compatibility considerations:

To secure web services with WebSphere Application Server, you must specify several different configurations. Although there is not a specific sequence in which you must specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.

Because of the relationship between the different Web Services Security configurations, it is recommended that you specify the configurations on each level of the configuration in the order described in the following sections. You can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon your environment and security needs.

Web Services Security programming models

Take advantage of the easy-to-implement Java™ API for XML-Based Web Services (JAX-WS) programming model to develop new web services applications and clients. JAX-WS is the next generation web services programming model. Using JAX-WS, development of web services and clients is simplified, with greater platform independence for Java applications through the use of dynamic proxies and Java annotations. JAX-WS simplifies application development through support of a standard, annotation-based model to develop web service applications and clients. JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). To secure web services using the Java API for XML-Based Web Services (JAX-WS) programming model, begin with the topic Securing JAX-WS web services using message-level security.

The Java™ API for XML-based RPC (JAX-RPC) specification enables you to develop SOAP-based interoperable and portable web services and web service clients. JAX-RPC 1.1 provides core APIs for developing and deploying web services on a Java platform and is a part of the Web Services for Java Platform, Enterprise Edition (Java EE) platform. IBM® WebSphere® Application Server supports both the JAX-WS programming model and the JAX-RPC programming model. JAX-WS is the next generation web services programming model, extending the foundation provided by the JAX-RPC programming model. To secure web services using the Java API for XML-based RPC (JAX-RPC) programming model, begin with the topic Securing JAX-RPC web services using message-level security.