Securing JAX-WS web services using message-level security

Web Services Security standards and profiles address how to provide message-level protection for messages that are exchanged in a web service environment.

Before you begin

Before you begin this task, you must develop and deploy a JAX-WS application. See the topic "JAX-WS" for more information.

About this task

Java™ API for XML-Based Web Services (JAX-WS) is the next generation web services programming model complementing the foundation provided by the Java API for XML-based RPC (JAX-RPC) programming model. Using JAX-WS, development of web services and clients is simplified with greater platform independence for Java applications through the use of dynamic proxies and Java annotations. JAX-WS simplifies application development through support of a standard, annotation-based model to develop web service applications and clients. A required part of the Java Platform, Enterprise Edition 5 (Java EE 5), JAX-WS is also known as JSR 224.

JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). The WSS API can only be used to secure a JAX-WS client application. The following sections describe both methods.

Procedure

  1. Decide which programming model, JAX-WS or JAX-RPC, works best for securing your web services applications.

    This procedure uses the JAX-WS programming model. For more information, see Overview of standards and programming models for web services message-level security.

  2. Configure the security bindings, or migrate an application and associated bindings.

    For more information about bindings, read about defining and managing policy set bindings. See Configuring default Web Services Security bindings and Migration of JAX-WS Web Services Security bindings from Version 6.1.

  3. Develop and assemble a JAX-WS application.

    For more information, see Developing message-level security for JAX-WS web services.

  4. Deploy the JAX-WS application.
  5. Configure and administer the Web Services Security runtime environment.

    Read about signing and encrypting message parts using policy sets to find out how to specify the required message-level protection. The policy specifies what protection will be applied, including which message parts to sign or encrypt, and the token types and algorithms to use. For complete information about policy sets, read about managing policy sets using the administrative console.

  6. Configure policy sets through metadata exchange (WS-MetadataExchange).

    In WebSphere Application Server Version 7.0 and later, using JAX-WS, you can enable the Web Services Metadata Exchange (WS-MetadataExchange) protocol so that the policy configuration of the service provider is included in the WSDL and is available to a WS-MetadataExchange GetMetadata request. One advantage of using the WS-MetadataExhange protocol is that you can apply message-level security to WS-MetadataExchange GetMetadata requests by using a suitable system policy set. Another advantage is that the client does not have to match the provider configuration, or have a policy set attached. The client only needs the binding information, and then the client can operate based on the provider policy, or based on the intersection of the client and provider policies.

    You can configure a service provider to share its policy configuration using the administrative console. For more information, read the following topics: