Skip to main content

skip to main content

developerWorks  >  WebSphere | SOA and Web services | Rational  >

Message-level security with JAX-WS on WebSphere Application Server v7

Using Rational Application Developer 7.5.2 to build secure JAX-WS Web services

developerWorks
Go to the previous pagePage 2 of 12 Go to the next page

Document options
PDF format - Fits A4 and Letter

PDF - Fits A4 and Letter
2742 KB (58 pages)

Get Adobe® Reader®

Sample code


My developerWorks needs you!

Connect to your technical community


Rate this tutorial

Help us improve this content


Section 2. Introduction to message-level security

Transport-level security (e.g. HTTPS) is a point-to-point security model where the channel is protected between two parties. However, many times the service consumer and service provider are separated by intermediaries (e.g. an Enterprise Service Bus). In situations like these, message-level security can provide an end-to-end security solution. Figure 1 depicts how message-level security can provide an end-to-end security solution even if intermediaries are between the consumer and provider. The secret is that with message-level security, you can encrypt the message using the public key of the final destination. In this way, only the intended receiver can decrypt the message. Additionally, by encrypting the message and storing the encrypted data into the message, you can store the message on the file system for asynchronous communication and later decrypt it when the receiver is available. These are just a few of the reasons that message level security is often being applied to secure Web services.


Figure 1. Comparison of transport level security and message level security (see enlarged Figure 1)
Diagram showing transport and message-level security

Web Services Security (WS-Security) is an OASIS standard to describe how to implement message-level security with Web services. Specifically, WS-Security describes how you can add confidentiality (e.g. encryption), integrity (e.g. digital signatures), and authentication (e.g. username and password) to a SOAP message. In most cases, XML encryption and XML signatures are the mechanisms for securing the message; WS-Security describes how to use these technologies with Web services to provide message-level security as well as providing a framework for propagating security identities. Figure 2 provides an example of how message-level security looks in a SOAP message. In this tutorial, you learn how to build SOAP messages that get encrypted and signed to provide messages like the one shown in Figure 2.


Figure 2. Example of message-level security of a SOAP message (see enlarged Figure 2)
Source XML for the SOAP message


Back to top



Go to the previous pagePage 2 of 12 Go to the next page