Level: Intermediate Nicholas Chase (ibmquestions@nicholaschase.com), Freelance writer
22 Aug 2006 This tutorial, Part 4 of the "Understanding Web services specifications" series, explains the concepts behind WS-Security and related standards such as XML Signature, which combine to make security in the Web services world not just possible, but practical. In this tutorial
In this tutorial you'll learn about Web Services Security, or WS-Security. It is for developers who wish to expose their own services in an environment that requires protection of messages from being tampered or read in transit, or in situations in which the sender must be positively identified. The term "WS-Security" is usually used to refer to a group of specifications that handle encryption and digital signatures, enabling you to create a secure application. You will follow along as the The Daily Moon newspaper team uses the WS-Security specifications to secure one of the Web services described thus far in the series. In the course of this tutorial, you will learn: - What WS-Security is
- The difference between symmetric and asymmetric encryption
- The difference between signatures and encryption
- The effect of security on SOAP messages
- How to secure a SOAP web service using Axis2
Prerequisites
You should have a basic understanding of SOAP, which you can achieve by reading Part 1 of this tutorial series, and by extension, you need a basic understanding of XML. SOAP is programming-language agnostic, but the samples in this tutorial use Java ™ and the Apache Axis2 project. The concepts, however, apply to any programming language and environment.
System requirements
Much of this tutorial is conceptual, but in order to follow along with the code that creates the SOAP messages, you will need to have the following software available and installed: We will demonstrate the installation and use of Apache Geronimo, which is also the basis for IBM® WebSphere® Community Edition. You can also use other application servers such as WebSphere Application Server. You can download Apache Geronimo. You will be using Apache Axis2, which contains implementations of various SOAP-related APIs to make your life significantly easier. You can download Apache Axis2 from Apache.org. This tutorial uses version 0.94, but later versions should work. Apache Axis2 Rampart module -- Security for the Axis2 Web services engine is provided through the Rampart module, which is not included in the default installation. Download this module from the Apache Download Mirrors. Apache WSS4J -- Although Axis itself will use Rampart, at some point you will need to reference the WSS4J classes direction. Download the WSS4J package. Java™ 2 Standard Edition version 1.4.2 or higher -- All of these tools are Java-based, as are the services and clients you'll build in this tutorial. Download the J2SE SDK. TCPMon (optional) -- It's always easier to understand what's going on in a web service application when you can actually see the messages. Download the TCP Monitor so you can see the messages coming to and from the Web service. GnuPG (optional) -- All of the message signing we'll be doing is covered by Axis2 and by Java itself, but if you want to play with signing individual documents, as we'll briefly demonstrate, download GnuPG. You'll also need a Web browser and a text editor.
Formats html, pdf
| 
