Securing JAX-RPC web services using message-level security

Standards and profiles address how to provide protection for messages that are exchanged in a web service environment.

Before you begin

Best practice: IBM® WebSphere® Application Server supports the Java™ API for XML-Based Web Services (JAX-WS) programming model and the Java API for XML-based RPC (JAX-RPC) programming model. JAX-WS is a web services programming model that extends the foundation provided by the JAX-RPC programming model. The JAX-WS programming model simplifies development of web services and clients through support of a standards-based annotations model. Although the JAX-RPC programming model and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients.

About this task

To secure web services with WebSphere Application Server, you must specify several different configurations. Although there is not a specific sequence in which you must specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.

Web service security is supported in the managed web service container. To establish a managed environment and to enforce constraints for Web Services Security, you must perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference.

Because of the relationship between the different Web Services Security configurations, it is recommended that you specify the configurations on each level of the configuration in the following order. You can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon your environment and security needs.

1. Decide which programming model, JAX-WS or JAX-RPC, works best for securing your web services applications.

   This procedure uses the JAX-RPC programming model. For information, see Overview of standards and programming models for web services message-level security.

2. Configure Web Services Security.

   You can choose to configure Web Services Security for the application level, the server level, the cell level, or the platform level, depending on your environment and security needs. Cell-level configuration is supported only in a network deployment environment.

   • Specify the application-level configuration.
   • Specify the server-level configuration.
   • Specify the cell-level configuration.
   • Specify the platform-level configuration..
3. Develop and assemble a JAX-RPC application, or migrate an existing application.
   1. Assemble your Web Services Security-enabled application using an assembly tool. For more information, read about assembly tools. Prior to modifying a Web Services Security-enabled application in the WebSphere Application Server administrative console, you must assemble your application using an assembly tool. Although you can modify some of the application settings using the administrative console, you must configure the generator and the consumer security constraints using an assembly tool.
4. Deploy the JAX-RPC application.

Results

After completing these steps for WebSphere Application Server, you have secured web services.