1. Understand WS-Security basics and trade-offs

WS-Security is independent of the transport-layer protocol a web service uses, and it maintains message security even if the message goes through multiple services. However, WS-Security can incur substantial performance costs. Find out how WS-Security works, and learn how to configure it in Axis2 for the basic function of sending a username and password on a service request. Then get some guidelines to help you decide if WS-Security is more appropriate for your application than simple transport-layer security.

Read: Mechanics of WS-Security

Read: Axis2 WS-Security basics

Read: The high cost of (WS-)Security

2. Implement digital signatures and encryption

XML encryption and XML digital signatures are cornerstones of the WS-Security standard. By requiring digital signatures, you can limit message access to authorized users and verify that information has not been altered in transit. Encryption lets you prevent unintended recipients from understanding the information. Get an introduction to public-key cryptography principles and view examples that apply them for signing and encrypting SOAP messages using Axis2. Then, using Axis2 and the Apache Geronimo Java EE application server, get hands-on practice implementing WS-Security signing and encryption for a web service application.

Read: Axis2 WS-Security signing and encryption

Practice: Signing and encryption with Axis2 and Geronimo

3. Use WS-Security without client certificates

WS-Security symmetric encryption lets you secure message exchanges between client and server without requiring client certificates, simplifying your web service configuration while also providing performance benefits. Learn how to configure and use symmetric encryption with Axis2 (and with the open source Metro and Apache CXF frameworks).

Read: WS-Security without client certificates

4. Ensure interoperability for web services secured with WS-Security

Web services are effective at integrating applications regardless of platform, vendor, and programming language—but they're not immune from interoperability issues. Discover some common problems caused by incompatibilities among different versions of the WS-Security specification, and explore ways to deal with the issues in your environment, including the Web Services Gateway (a software component of IBM WebSphere Application Server Network Deployment) and WebSphere DataPower SOA Appliances (purpose-built, easy-to-deploy network devices).

Read: Tackle WS-Security specification interoperability challenges

5. Offload web services security tasks

Integrating WebSphere Application Server with the WebSphere DataPower SOA Appliance yields a secure and high-performance web service. Learn detailed procedures for improving and securing your web services installation with these products.

Read: Offload WebSphere web services security tasks to IBM WebSphere DataPower SOA Appliances

Download: WebSphere Application Server(trial version)

Download: WebSphere Application Server Community Edition (free product)