JAXWS SOAP service enhancements in RBD 220.127.116.11: WS-Security and WS-Addressing
JoeVincens 100000GUD5 Visits (3986)
I've been working with web services for many years and security is the top application level concern voiced by many developers. RBD developers using WebSphere Application Server to implement security now have some new options. In RBD 18.104.22.168, we introduced support for WS-Security and WS-Addressing for RBD JAX-WS services and service invocations. Many of you are involved with revitalizing legacy applications and subscribe to the mantra don't rewrite, reuse. This is the approach we took to WS-Addressing and WS-Security. We didn't write any code; we reused the policy support provided by WebSphere Application Server. So this blog is more about the product developed by our colleagues in WebSphere than it is about RBD. The WebSphere Application Server documentation has lots of information related to security. I'll mention a few links that caught my attention. If you find other useful information that you'd like to share, post it as a comment to this blog.
Starting with the WebSphere Application Server v7 information center, you can expand the navigation tree for your edition of the application server. A couple of important things to keep in mind while reading the WebSphere Application Server documentation:
1. Read the sections that apply to JAX-WS web services (the JAX-RPC sections may not apply).
2. Read the sections that use policy sets as they are modular and easier to apply to a service or service client.
WS-Security:If you pick up any book on WS-Security or read through the links provided, you will quickly learn it is a complex topic and there are varying degrees of securing a service. Because of the complexity of application security (and because my primary job at IBM is not as a security professional), I can't try to summarize everything from all the various books and articles about security in this blog post. I think the most important are the various layers. The 5 most commonly mentioned are (in alphabetic order): authentication, authorization, confidentiality, identification, and integrity. If you want to talk security, you should familiarize yourself with the meaning of each layer. The Web services security provides message integrity, confidentiality, and authentication article provides a summary of some of the layers. The Securing web services section is another place to look at different layers of security and has 2 sub sections Securing HTTP transport and authentication for Web services and Securing Web services at the message level. You can also read the Web services sections under the Developing and Deploying applications section and the Securing applications and their environment section. The 'High-level architecture for Web services security' article provides a good explanation of how policy sets are used and applied to SOAP messages. You can also read blogs from security professionals for help with the type of security to use and how to use it. Once you decide what you need to be secure, you need to spend some time configuring WebSphere Application Server and creating policy sets. Once you create policy sets, you can reuse them on many projects.
Thankfully, there is a very good tutorial on developerWorks to configure WS-Security titled Message-level security with JAX-WS on WebSphere Application Server V7. The tutorial was written for people using Rational Application Developer (RAD), though the steps apply nicely to RBD.
WS-Addressing:RBD JAX-WS services and service invocations only support synchronous messaging. In the WebSphere Application Server 7.0 documentation, you will find a section on Web Services Addressing support. Why do I need to look at WS-Addressing? In this section, you'll find a good answer to this question: "You do not usually have to be aware of the underlying WS-Addressing support because WebSphere® Application Server ensures that your Web service applications are WS-Addressing compliant when required" and it describes when you would need to look at WS-Addressing. You can also read more in the Web Services Addressing overview.
This blog links to WebSphere Application Server 7 documentation. WS-Security and WS-Addressing for JAX-WS are also supported in WebSphere Application 6.1 with the Feature Pack for Web Services installed.
I would guess that this only answered a few of your WS-Security and WS-Addressing questions, though hopefully you'll find the links useful when you get inquisitive about security.