Before you start
In this tutorial you'll learn about Web Services Security, or WS-Security. It is for developers who wish to expose their own services in an environment that requires protection of messages from being tampered or read in transit, or in situations in which the sender must be positively identified. The term "WS-Security" is usually used to refer to a group of specifications that handle encryption and digital signatures, enabling you to create a secure application.
In order to follow along with this tutorial, you should have a basic understanding of SOAP, which you can achieve by reading Part 1 of this tutorial series, and by extension, you need a basic understanding of XML. SOAP is programming-language agnostic, but the samples in this tutorial use Java ™ and the Apache Axis2 project. The concepts, however, apply to any programming language and environment.
This tutorial series teaches the basic concepts of web services by following the exploits of the fictional newspaper, The Daily Moon, as the staff uses web services to create a workflow system to increase productivity in the midst of much change.
Part 1 explained the basic concepts behind web services and showed how to use SOAP, the specification that underlies most of what is to come, connecting the classifieds department with the Content Management System.
Part 2 takes things a step further, explaining how to use Web Services Description Language (WSDL) to define the messages produced at expected by web service, enabling the team to more easily create services and the clients that connect to them.
Part 3 finds the team with a number of services in place and a desire to locate them easily. In response, Universal Description, Discovery and Integration (UDDI) provides a searchable registry of available services at a way to publicize their own services to others.
Now in Part 4, Rudy, publisher of the The Daily Moon, has decided that the paper needs to institute better security procedures for web services that access their internal systems.
In Part 5, WS-Policy, we will look at the changes the teams need to make in order to access those newly secured services.
Interoperability will be the key word in Part 6, as services from several different implementations must be accessed from a single system. Part 6 will also cover the requirements and tests involved in WS-I certification.
Finally, Part 7 will show how to use Business Process Execution Language (WS-BPEL) to create complex applications from individual services.
Now let's look at what this tutorial covers in a bit more detail.
In this tutorial, you will follow along as the The Daily Moon newspaper team uses the WS-Security specifications to secure one of the web services described thus far in the series.
In the course of this tutorial, you will learn:
- What WS-Security is
- The difference between symmetric and asymmetric encryption
- The difference between signatures and encryption
- The effect of security on SOAP messages
- How to secure a SOAP web service using Axis2
Before we get started, you'll need a few tools.
Much of this tutorial is conceptual, but in order to follow along with the code that creates the SOAP messages, you will need to have the following software available and installed:
We will demonstrate the installation and use of Apache Geronimo, which is also the basis for IBM's WebSphere Community Edition. You can also use other application servers such as WebSphere application server. You can download Apache Geronimo. For more information on installing Geronimo, see Part 1 of this tutorial series.
You will be using Apache Axis2, which contains implementations of various SOAP-related APIs to make your life significantly easier. You can download Apache Axis2 from Apache.org. This tutorial uses version 0.94, but later versions should work.
Apache Axis2 Rampart module -- Security for the Axis2 web services engine is provided through the Rampart module, which is not included in the default installation. Download this module from the Apache Download Mirrors.
Apache WSS4J -- Although Axis itself will use Rampart, at some point you will need to reference the WSS4J classes direction. Download the WSS4J package.
Java 2 Standard Edition version 1.4.2 or higher -- All of these tools are Java-based, as are the services and clients you'll build in this tutorial. Download the J2SE SDK.
TCPMon (optional) -- It's always easier to understand what's going on in a web service application when you can actually see the messages. Download the TCP Monitor so you can see the messages coming to and from the web service.
GnuPG (optional) -- All of the message signing we'll be doing is covered by Axis2 and by Java itself, but if you want to play with signing individual documents, as we'll briefly demonstrate, download GnuPG.
You'll also need a Web browser and a text editor.