Overview of standards and programming models for web services message-level security
Web Services Security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a web services environment.
To secure web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies in heterogeneous environments. The complete Web Services Security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.
Web Services Security standards
The Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security (WS-Security) specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web Services Security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. WebSphere Application Server supports Version 1.1 of the Web Services Security specification, including features such as encrypted header, thumbprint and signature configuration, username token profile and X.509 token profile. In addition, limited security scenario support is provided for the Kerberos Version 1.1 token profile, WS-SecureConversation Version 1.3, WS-Trust Version 1.3, and WS-SecurityPolicy Version 1.2.
The Web Services Security SOAP Message Security 1.1 specification outlines a standard set of SOAP 1.1 extensions we can use to build secure web services. These standards provide integrity and confidentiality protection, which are generally implemented with digital signature and encryption technologies. In addition, Web Services Security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web Services Security defines how to encode binary security tokens using methods such as X.509 certificates. However, the required security tokens are not defined in the SOAP Message Security 1.1 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, and so on.
It is important to note that while Web Services Security can be used to provide message level integrity and confidentiality protection for normal SOAP message requests from a client to a service, and normal SOAP message responses from a service to a client, Web Services Security cannot be used to protect SOAP fault messages.
Compatibility between WS-Security Draft 13 and WS-Security standard Versions 1.0 and 1.1
The WS-Security standard has evolved over the years, from a draft to an OASIS standard. WAS v5.02 introduced support for the WS-Security Draft 13, and support for WS-Security 1.0 was introduced beginning with WAS v6.0. WS-Security Version 1.1 is supported by WAS v6.1 Feature Pack for Web Services, using the JAX-WS runtime only. The topic Web Services Security specification - a chronology provides more details about the evolution of this support.
It is important to note that a WS-Security Draft 13 client is not compatible with providers that use WS-Security Version 1.0 or Version 1.1. We must use Draft 13 client to communicate with a Draft 13 web services provider. We cannot use a Draft 13 client to communicate with a WS-Security Version 1.0 provider, or a Version 1.1 provider. This issue arises because the SOAP message format for the WS-Security header and namespace is different between a WS-Security Draft 13-enabled application and a WS-Security Version 1.0 or Version 1.1-enabled application.
The version of the WS-Security standard used also has implications for the required version of the Java EE application:
- Java EE Version 1.3 is used only with WS-Security Draft 13.
- Java EE Version 1.4 and later is used with WS-Security Version 1.0 (JAX-RPC and JAX-WS), and also WS-Security Version 1.1 (JAX-WS).
The following diagram illustrates these compatibility considerations:
To secure web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.
Because of the relationship between the different Web Services Security configurations, IBM recommends specified the configurations on each level of the configuration in the order described in the following sections. We can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon the environment and security needs.
Web Services Security programming models
Take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. JAX-WS is the next generation web services programming model. Using JAX-WS, development of web services and clients is simplified, with greater platform independence for Java applications through the use of dynamic proxies and Java annotations. JAX-WS simplifies application development through support of a standard, annotation-based model to develop web service applications and clients. JAX-WS applications can be secured with Web Services Security in one of two ways. The application can be secured using policy sets, or through the use of the Web Services Security API (WSS API). To secure web services using JAX-WS, begin with the topic Secure JAX-WS web services using message-level security.
The JAX-RPC specification enables us to develop SOAP-based interoperable and portable web services and web service clients. JAX-RPC 1.1 provides core APIs for developing and deploying web services on a Java platform and is a part of the Web Services for Java EE platform. IBM WebSphere Application Server supports both JAX-WS and JAX-RPC. JAX-WS is the next generation web services programming model, extending the foundation provided by JAX-RPC. To secure web services using JAX-RPC, begin with the topic Secure JAX-RPC web services using message-level security.
Secure JAX-WS web services using message-level security Secure JAX-RPC web services using message-level security Enable hardware cryptographic devices for Web Services Security Configure secure transmission of SOAP messages using WS-Security Getting WS-Security information from the owning parties Web Services Security configuration considerations