The Web services security model used by WebSphere Application Server
is the declarative model. WebSphere Application Server does not include any
application programming interfaces (APIs) for programmatically interacting
with Web services security. However, a few Server Provider Interfaces (SPIs)
are available for extending some security-related behaviors.
Important distinction between Version 5.x and Version 6.0.x applications
Note: The
information in this article supports version 5.x applications only that are
used with WebSphere Application Server Version 6.0.x. The information does not
apply to version 6.0.x applications.
Figure 1.
Web services security model
The security constraints for Web services security are specified in IBM
deployment descriptor extensions for Web services. The Web services security
run time acts on the constraints to enforce Web services security for the
Simple Object Access Protocol (SOAP) message. The scope of the IBM deployment
descriptor extension is at the enterprise bean (EJB) or Web module level.
Bindings are associated with each of the following IBM deployment descriptor
extensions:
- Client (Might be either a J2EE Client (Application Client Container) or
Web services acting as a client)
- ibm-webservicesclient-ext.xmi
- ibm-webservicesclient-bnd.xmi
- Server
- ibm-webservices-ext.xmi
- ibm-webservices-bnd.xmi
It is recommended that you use the tools provided by IBM (the Application
Server Toolkit and Rational Web Developer) to create the IBM deployment descriptor
extension and bindings. After the bindings are created, you can use the administrative
console or an assembly tool to specify the bindings.
Important
Note: The binding information is collected after application
deployment rather than during application deployment. The alternative is to
specify the required binding information before deploying your application.
Figure 1.
Web services security message interpretation
The Web services security run time enforces Web services security based
on the defined security constraints in the deployment descriptor and binding
files. Web services security has the following four points where it intercepts
the message and acts on the security constraints defined:
Message points |
Description |
Request sender (defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files) |
- Applies the appropriate security constraints to the SOAP message (such
as signing or encryption) before the message is sent, generating the time
stamp or the required security token.
|
Request receiver (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files) |
- Verifies that the Web services security constraints are met.
- Verifies the freshness of the message based on the time stamp. The freshness
of the message indicates whether the message complies with predefined time
constraints.
- Verifies the required signature.
- Verifies that the message is encrypted and decrypts the message if encrypted.
- Validates the security tokens and sets up the security context for the
downstream call.
|
Response sender (defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files) |
- Applies the appropriate security constraints to the SOAP message response,
like signing the message, encrypting the message, or generating the time stamp.
|
Response receiver (defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi files) |
- Verifies that the Web services security constraints are met.
- Verifies the freshness of the message based on the time stamp. The freshness
of the message indicates whether the message complies with predefined time
constraints.
- Verifies the required signature.
- Verifies that the message is encrypted and decrypts the message, if encrypted.
|