This article describes the development of the Web services security specification. The article provides information on the Organization for the Advancement of Structured Information Standards (OASIS) Web services security Version 1.0 specification, which is the specification that serves as a basis for securing Web services in WebSphere Application Server Version 6.0.x.
Non-OASIS activities
This following figure shows the relationship between these specifications:
The specifications for the blue boxes in the previous figure have been proposed by various industry vendors and various interoperability events have been organized by the vendors to verify and refine the proposed specifications.
OASIS activities
In June 2002, OASIS received a proposed Web services security specification from IBM, Microsoft, and Verisign. The Web Services Security Technical Committee (WSS TC) was organized at OASIS soon after the submission. The technical committee included many companies including IBM, Microsoft, VeriSign, Sun Microsystems, and BEA Systems.
In September 2002, WSS TC published its first specification, Web Services Security Core Specification, Working Draft 01. This specification included the contents of both the original Web services security specification and its addendum.
The coverage of the technical committee became larger as the discussion proceeded. Because the Web Services Security Core Specification allows arbitrary types of security tokens, proposals were published as profiles. The profiles described the method for embedding tokens, including Security Assertion Markup Language (SAML) tokens and Kerberos tokens embedded into the Web services security messages. Subsequently, the definitions of the usage for user name tokens and X.509 binary security tokens, which were defined in the original Web Services Security Specification, were divided into the profiles.
In April 2004, the Web service security specification (officially called Web Services Security: SOAP Message Security Version 1.0) became the Version 1.0 OASIS standard. Also, the Username token and X.509 token profiles are Version 1.0 specifications.
The following figure shows the various Web services security-related specifications.
WebSphere Application Server Version 6.0.x also extends and provides plug-in capability to enable security providers to extend the run-time capability and implement some of the higher level specifications in the Web service security stack. The plug-in points are exposed as Service Provider Programming Interfaces (SPI). For more information on these SPIs, see Default implementations of the Web services security service provider programming interfaces.
Web services security specification development
W3C recommendation, February 2002 (Also, IETF RFC 3275, March 2002)
W3C recommendation, March 2001
W3C recommendation, July 2002
W3C Recommendation, November 2002
W3C Recommendation, December 2002
W3C Recommendation, December 2002
These specifications are supported in WebSphere Application Server 6 in the context of Web services security. For example, you can sign a SOAP message by specifying the integrity option in the deployment descriptors. However, there is no application programming interface (API) that an application can use for XML signature on an XML element in a SOAP message.
The OASIS Web services security Version 1.0 specification defines the enhancements that are used to provide message integrity and confidentiality. It also provides a general framework for associating the security tokens with a Simple Object Access Protocol (SOAP) message. The specification is designed to be extensible to support multiple security token formats. The particular security token usage is addressed with the security token profile.
Specification and profile support in WebSphere Application Server Version 6.0.x
The wire format of the SOAP message with Web services security in Web services security Version 1.0 has changed and is not compatible with previous drafts of the OASIS Web services security specification. Interoperability between OASIS Web services security Version 1.0 and previous Web services security drafts is not supported. However, it is possible to run an application that is based on Web services security draft 13 on WebSphere Application Server Version 6.0.x. The application can interoperate with an application that is based on Web services security draft 13 on WebSphere Application Server Version 5.0.2, 5.1 or 5.1.1.
WebSphere Application Server Version 6.0.x supports both the OASIS Web services security draft 13 and the OASIS Web services security 1.0 specification. But in WebSphere Application Server Version 6.0.x, the support of OASIS Web services security draft 13 is deprecated. However, applications that were developed using OASIS Web services security draft 13 on WebSphere Application Server 5.0.2, 5.1.0 and 5.1.1 can run on WebSphere Application Server Version 6.0.x. OASIS Web services security Version 1.0 support is available only for Java 2 Platform, Enterprise Edition (J2EE) Version 1.4 applications. The configuration format for the deployment descriptor and the binding is different from previous versions of WebSphere Application Server. You must migrate the existing applications to J2EE 1.4 and migrate the Web services security configuration to the WebSphere Application Server Version 6 format. For migration information, see Migrating Version 5.x applications with Web services security to Version 6 applications.
Web Services Interoperability Organization (WS-I) activities
Web Services Interoperability Organization (WS-I) is an open industry effort to promote Web services interoperability across vendors, platforms, programming languages and applications. The organization is a consortium of companies across many industries including IBM, Microsoft, Oracle, Sun, Novell, VeriSign, and Daimler Chrysler. WS-I began working on the basic security profile (BSP) in the spring of 2003. BSP consists of a set of non-proprietary Web services specifications that clarifies and amplifies those specifications to promote Web services security interoperability across different vendor implementations. As of June 2004, BSP is a public draft. For more information, see the Web Services Interoperability Organization. Since the spring of 2004, WS-I has been working on sample application work. The BSP sample application is the testing tool for the BSP. WebSphere Application Server Version 6.0.x does not support the WS-I BSP and BSP sample application.
Related concepts
Default implementations of the Web services security service provider
programming interfaces
Related tasks
Migrating Version 5.x applications with Web services security to Version
6 applications