[Version 5 only]WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configurations

The Web services security model used by WebSphere Application Server is the declarative model.

Important distinction between Version 5.x and Version 6.0.x applications
Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6.0.x. The information does not apply to version 6.0.x applications.

No Application Programming Interfaces (APIs) exist in WebSphere Application Server for programmatically interacting with Web services security. However, Service Provider Programming Interfaces (SPIs) are available for extending some security run-time behaviors. You can secure an application with Web services security by defining security constraints in the IBM extension deployment descriptors and in IBM extension bindings.

The development life cycle of a Web services security-enabled application is similar to the Java 2 Platform, Enterprise Edition (J2EE) model. See the following figure for more details.

Figure 1. Application development life cycle

The Web services security constraints are defined by the assembler during the application assembly phase if the J2EE application is Web services-enabled. Create, define, and edit the Web services security constraints with an assembly tool. For more information, see Assembly tools.

Web services security constraints

The security constraints for Web services security are specified in the IBM deployment descriptor extension for Web services. The assembler defines these constraints during the application assembly phase, if the J2EE application is Web services enabled. Define the Web services security constraints using an assembly tool. For more information, see Assembling applications.

The Web services security run time acts on the constraints to enforce Web services security for the Simple Object Access Protocol (SOAP) message. The scope of the IBM deployment descriptor extension is at the EJB module or Web module level. There also are bindings associated with each of the following IBM deployment descriptor extensions:

Client (might be either a J2EE client (application client container) or Web services acting as a client)
  • ibm-webservicesclient-ext.xmi
  • ibm-webservicesclient-bnd.xmi
Server
  • ibm-webservices-ext.xmi
  • ibm-webservices-bnd.xmi

The IBM extension deployment descriptor and bindings are associated with each EJB module or Web module. See Figure 2 for more information. If Web services is acting as a client, then it contains the client IBM extension deployment descriptors and bindings in the EJB module or Web module.

Figure 1. IBM extension deployment descriptors and bindings

The Web services security handler acts on the security constraints defined in the IBM extension deployment descriptor and enforces the security constraints accordingly. There are outbound and inbound configurations in both the client and server security constraints.

In a SOAP request, the following message points exist:
  • Sender outbound
  • Receiver inbound
  • Receiver outbound
  • Sender inbound
These message points correspond to the following four security constraints:
  • Request sender (sender outbound)
  • Request receiver (receiver inbound)
  • Response sender (receiver outbound)
  • Response receiver (sender inbound)

The security constraints of request sender and request receiver must match. Also, the security constraints of the response sender and response receiver must match. For example, if you specify integrity as a constraint in the request receiver, then you must configure the request sender to have integrity applied to the SOAP message. Otherwise, the request is denied because the SOAP message does not include the integrity specified in the request constraint.

The four security constraints are shown in the following figure of Web services security constraints.

Figure 1. Web services security constraints



Sub-topics
Sample configuration

Related concepts
Web services security model in WebSphere Application Server
Request sender
Request receiver
Response sender
Response receiver

Concept topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/cwbs_config.html

© Copyright IBM Corporation 2003, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)