Securing web services
Web services security for WebSphere®
Application Server is based on the OASIS web services security (WSS) Version 1.0 specification, the
Username token Version 1.0 profile, and the X.509 token Version 1.0 profile. These standards and
profiles address how to provide protection for messages that are exchanged in a web service
environment.
Web services security overview
The OASIS web services security (WSS) Version 1.0 specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. WSS is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. New in the Feature Pack for Web Services, JAX-WS web services can be easily secured using policy sets.
Securing a web service by using a WS-Security policy
You can secure a Java API for XML Web Services (JAX-WS) web service by using a WS-Security policy. You can add a WS-Security policy template to your Web Services Description Language (WSDL) file.
Securing a web service by using a WS-Security policy without a WSDL contract
You can secure a Java API for XML Web Services (JAX-WS) web service by using a WS-Security policy. You do not need to create a Web Services Description Language (WSDL) contract to attach a WS-Security policy to a JAX-WS web service or client.
Qualities of service for JAX-WS web services and clients
You can use policy sets to simplify configuring the qualities of service for web services and clients. Policy sets are assertions about how web services are defined. Using policy sets, you can combine configurations for different policies. You can use policy sets with JAX-WS applications, but not with JAX-RPC applications.
Creating a policy set attachment on the client side
You can add security to a web service client by attaching policy sets to the client. Each attachment specifies an endpoint, a policy set, and a binding. Because each configuration is specific to an application and a user, you must configure a binding for some policy types.
Creating a policy set attachment on the server side
You can add security to a web service by attaching policy sets to the service. Each attachment specifies an endpoint, a policy set, and a binding.
Modifying policy set attachments
After you create policy set attachments for your web service or client, you can modify attachment attributes. For example, you can specify different endpoints and policy sets. For policy set attachments on the client side, you can also specify different bindings and binding configurations.
Editing policy set bindings
You can create and edit existing policy set binding configurations by using the binding stand-alone editors.
Importing policy sets into your workspace
In addition to using the policy sets that come with the product, you can import policy sets that were exported from a server. After you import these policy sets into your workspace, you can attach them to your web services and clients.