The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Build secure Web services

Using Rational Application Developer

Indran Naick (indrann@us.ibm.com), e-business architect, EMC

Indran Naick is an e-business architect for IBM Developer Relations Technical Consulting in Austin, Texas, which provides education, enablement, and consulting to IBM business partners. Indran has over 14 years of industry experience. He joined IBM in South Africa in 1990. Prior to being transferred to Austin, he served as a software solutions architect, consulting to a number of financial and government institutions. He has authored a number of publications and is a graduate of the University of the Witwatersrand in South Africa.

Jeff Miller (jeffmil@us.ibm.com), e-business architect, EMC

Jeff Miller is a software consultant with IBM ISV and Developer Relations Worldwide Developer Skills program. He has over 24 years of software development experience as an electrical engineer, software developer and architect. His focus at IBM is Java EE application architecture, design, development, Web services, SOA and security. Jeff consults, codes, teaches, writes technical articles and speaks to universities and groups. He is an IBM-certified On Demand Solution Designer and Solution Technologist, an IBM Certified Solution Designer -- Service Oriented Architecture, and is IBM-certified on Rational Application Developer and WebSphere Application Server. Jeff is a CompTIA Security+ Certified Professional. He received his Masters degree in Computer Science from Rensselaer Polytechnic Institute.
(An IBM developerWorks Contributing Author)

Summary: Security is an essential part of any Web service. Rational Application Developer allows you to take advantage of security standards and without too much effort create all of the necessary configuration to add security to your services. This tutorial shows you how to authenticate using a user ID and password, ensure integrity using digital signatures, and ensure confidentiality using encryption.

Tag this!

Date: 02 Dec 2005
Level: Introductory
PDF: A4 and Letter (1945 KB | 52 pages)Get Adobe® Reader®

Activity: 1876 views
Comments:

Before you begin

Should I take this tutorial?

Take this tutorial if you are a Web developer or architect and want to understand how to build secure Web services using Rational® Application Developer. This tutorial assumes that you have a basic knowledge of Java™ technology and Web services. It takes you through a fairly complete example of adding signatures, encryption, and a token to a Web service.

Rational Application Developer is easy to use, so you'll find this tutorial easy to follow even if you're a beginner to Web services and Java technology. In addition to showing you how to use the tools within Rational Application Developer, this tutorial gives you an introduction to Web services security and shows you what happens behind the scenes in a Web services architecture. If you are a complete newbie to Java technology, some of these concepts might be easier to follow if you have a basic understanding of Web services.

About the tutorial

This tutorial describes the functionality available within Rational Application Developer to secure Web services. Rational Application Developer provides features with which you can apply authentication, integrity, and confidentiality to Web services.

There are various mechanisms for implementing security in a distributed system. Many of these secure the transport protocol and use a variety of other security mechanisms to achieve their objectives. The security that we will focus on in this tutorial is SOAP message security. This means that the security information is contained in and travels with each SOAP message, making it transport-independent. This security is based on:

XML digital signatures: provides integrity
XML encryption: provides confidentiality
Security tokens: provides authentication

It is important to distinguish between security mechanisms that are transport dependent and those that are transport independent. Developers often strive to ensure that their services are not bound to any particular transport. If your security model is based on the transport, you are indirectly tightly coupling your service, should you need it to be secure, to a fixed protocol.

In addition, it is preferable to have security abstracted out of the service -- that is, to have it be a deployment-time option. This allows you to modify the security as and when required without changing the service. Changing your code every time you change your security policies can be very difficult, expensive, and prone to error. Having security abstracted out also allows you the option of deploying your services with or without security. Security adds processing overhead to any operation, and it should be used only when it is warranted.

Prerequisites

To complete the steps in this tutorial, you need to install Rational Application Developer V6.0 or higher. You can download a trial copy of Rational Application Developer for WebSphere® Software V6.0 from developerWorks. The installation process is straightforward and hassle free, and you will need to complete a short registration form. WebSphere Application Server V6.0 test environment within Rational Application Developer for WebSphere Software V6.0 was used in this tutorial to test the examples. The screen captures were generated using Rational Application Developer for WebSphere Software V6.0. If you are using Rational Application Developer for WebSphere Software V6.0.1 it should still work. Some of the screens might be slightly different to the ones shown here, however the relevant fields are shown here.

You also need to download the sample code AtomicClock.java.

Comments

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Rational, SOA and Web services

ArticleID=135555

TutorialTitle=Build secure Web services

publish-date=12022005

author1-email=indrann@us.ibm.com

author1-email-cc=

author2-email=jeffmil@us.ibm.com

author2-email-cc=