Skip to main content

If you don't have an IBM ID and password, register here.

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. This profile includes the first name, last name, and display name you identified when you registered with developerWorks. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

Understanding web services specifications, Part 4: WS-Security

Nicholas Chase (, Freelance writer, Backstop Media
Nicholas Chase has been involved in Web site development for companies such as Lucent Technologies, Sun Microsystems, Oracle, and the Tampa Bay Buccaneers. Nick has been a high school physics teacher, a low-level radioactive waste facility manager, an online science fiction magazine editor, a multimedia engineer, an Oracle instructor, and the Chief Technology Officer of an interactive communications company. He is the author of several books, including XML Primer Plus (Sam's).

Summary:  There are few (if any) enterprise-level systems that don't require one form of security or another. In web services, this process is more complicated than in other arenas because of the distributed, stateless nature of the beast. This tutorial, Part 4 of the Understanding web services specifications series, explains the concepts behind WS-Security and related standards such as XML Signature, which combine to make security in the web services world not just possible, but practical.

View more content in this series

Date:  22 Aug 2006
Level:  Intermediate PDF:  A4 and Letter (245 KB | 42 pages)Get Adobe® Reader®


Before you start

In this tutorial you'll learn about Web Services Security, or WS-Security. It is for developers who wish to expose their own services in an environment that requires protection of messages from being tampered or read in transit, or in situations in which the sender must be positively identified. The term "WS-Security" is usually used to refer to a group of specifications that handle encryption and digital signatures, enabling you to create a secure application.

In order to follow along with this tutorial, you should have a basic understanding of SOAP, which you can achieve by reading Part 1 of this tutorial series, and by extension, you need a basic understanding of XML. SOAP is programming-language agnostic, but the samples in this tutorial use Java ™ and the Apache Axis2 project. The concepts, however, apply to any programming language and environment.

About this series

This tutorial series teaches the basic concepts of web services by following the exploits of the fictional newspaper, The Daily Moon, as the staff uses web services to create a workflow system to increase productivity in the midst of much change.

Part 1 explained the basic concepts behind web services and showed how to use SOAP, the specification that underlies most of what is to come, connecting the classifieds department with the Content Management System.

Part 2 takes things a step further, explaining how to use Web Services Description Language (WSDL) to define the messages produced at expected by web service, enabling the team to more easily create services and the clients that connect to them.

Part 3 finds the team with a number of services in place and a desire to locate them easily. In response, Universal Description, Discovery and Integration (UDDI) provides a searchable registry of available services at a way to publicize their own services to others.

Now in Part 4, Rudy, publisher of the The Daily Moon, has decided that the paper needs to institute better security procedures for web services that access their internal systems.

In Part 5, WS-Policy, we will look at the changes the teams need to make in order to access those newly secured services.

Interoperability will be the key word in Part 6, as services from several different implementations must be accessed from a single system. Part 6 will also cover the requirements and tests involved in WS-I certification.

Finally, Part 7 will show how to use Business Process Execution Language (WS-BPEL) to create complex applications from individual services.

Now let's look at what this tutorial covers in a bit more detail.

About this tutorial

In this tutorial, you will follow along as the The Daily Moon newspaper team uses the WS-Security specifications to secure one of the web services described thus far in the series.

In the course of this tutorial, you will learn:

  • What WS-Security is
  • The difference between symmetric and asymmetric encryption
  • The difference between signatures and encryption
  • The effect of security on SOAP messages
  • How to secure a SOAP web service using Axis2

Before we get started, you'll need a few tools.


Much of this tutorial is conceptual, but in order to follow along with the code that creates the SOAP messages, you will need to have the following software available and installed:

We will demonstrate the installation and use of Apache Geronimo, which is also the basis for IBM's WebSphere Community Edition. You can also use other application servers such as WebSphere application server. You can download Apache Geronimo. For more information on installing Geronimo, see Part 1 of this tutorial series.

You will be using Apache Axis2, which contains implementations of various SOAP-related APIs to make your life significantly easier. You can download Apache Axis2 from This tutorial uses version 0.94, but later versions should work.

Apache Axis2 Rampart module -- Security for the Axis2 web services engine is provided through the Rampart module, which is not included in the default installation. Download this module from the Apache Download Mirrors.

Apache WSS4J -- Although Axis itself will use Rampart, at some point you will need to reference the WSS4J classes direction. Download the WSS4J package.

Java 2 Standard Edition version 1.4.2 or higher -- All of these tools are Java-based, as are the services and clients you'll build in this tutorial. Download the J2SE SDK.

TCPMon (optional) -- It's always easier to understand what's going on in a web service application when you can actually see the messages. Download the TCP Monitor so you can see the messages coming to and from the web service.

GnuPG (optional) -- All of the message signing we'll be doing is covered by Axis2 and by Java itself, but if you want to play with signing individual documents, as we'll briefly demonstrate, download GnuPG.

You'll also need a Web browser and a text editor.

1 of 11 | Next


Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

Zone=SOA and web services
TutorialTitle=Understanding web services specifications, Part 4: WS-Security


Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).