Web Services Security model in WAS

Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts for v5.x applications

Web Services Security model in WAS

The Web Services Security model used by WAS is the declarative model. WAS does not include any API for programmatically interacting with Web Services Security. However, a few Server Provider Interfaces (SPIs) are available for extending some security-related behaviors.
There is an important distinction between Version 5.x and v6 and later applications. The information in this article supports v5.x applications only that are used with WAS v6.0.x and later. The information does not apply to v6 and later applications.
Figure 1. Web Services Security model
The security constraints for Web Services Security are specified in IBM deployment descriptor extensions for Web services. The Web Services Security run time acts on the constraints to enforce Web Services Security for the SOAP message. The scope of the IBM deployment descriptor extension is at the enterprise bean (EJB) or web module level. Bindings are associated with each of the following IBM deployment descriptor extensions:

Client (Might be either a Java EE client (application client container) or web services acting as a client)

ibm-webservicesclient-ext.xmi

ibm-webservicesclient-bnd.xmi

Server

ibm-webservices-ext.xmi

ibm-webservices-bnd.xmi

IBM recommends that you use the assembly tools provided by IBM to create the IBM deployment descriptor extension and bindings. After the bindings are created, you can use the admin console or an assembly tool to specify the bindings.
The binding information is collected after application deployment rather than during application deployment. The alternative is to specify the required binding information before deploying the application.
Figure 2. Web Services Security message interpretation
The Web Services Security run time enforces Web Services Security based on the defined security constraints in the deployment descriptor and binding files. Web Services Security has the following four points where it intercepts the message and acts on the security constraints defined:

Web Services Security message points. The descriptions of the points provides examples of Web Services Security runtime environment behavior.

Message points Description
Request sender (defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files)

Applies the appropriate security constraints to the SOAP message (such as signing or encryption) before the message is sent, generating the time stamp or the required security token.

Request receiver (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files)

Verifies that the Web Services Security constraints are met.
Verifies the freshness of the message based on the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints.
Verifies the required signature.
Verifies that the message is encrypted and decrypts the message if encrypted.
Validates the security tokens and sets up the security context for the downstream call.

Response sender (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files)

Applies the appropriate security constraints to the SOAP message response, like signing the message, encrypting the message, or generating the time stamp.

Response receiver (defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi files)

Verifies that the Web Services Security constraints are met.
Verifies the freshness of the message based on the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints.
Verifies the required signature.
Verifies that the message is encrypted and decrypts the message, if encrypted.

Web Services Security specification—a chronology
Web Services Security and Java Platform, Enterprise Edition security relationship
Secure web services

Related

Web Services Security support

+
Search Tips | Advanced Search

Message points	Description
Request sender (defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files)	Applies the appropriate security constraints to the SOAP message (such as signing or encryption) before the message is sent, generating the time stamp or the required security token.
Request receiver (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files)	Verifies that the Web Services Security constraints are met. Verifies the freshness of the message based on the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints. Verifies the required signature. Verifies that the message is encrypted and decrypts the message if encrypted. Validates the security tokens and sets up the security context for the downstream call.
Response sender (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files)	Applies the appropriate security constraints to the SOAP message response, like signing the message, encrypting the message, or generating the time stamp.
Response receiver (defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi files)	Verifies that the Web Services Security constraints are met. Verifies the freshness of the message based on the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints. Verifies the required signature. Verifies that the message is encrypted and decrypts the message, if encrypted.