Web Services Security at the message level

Web services message level security (Web Services Security or WS-Security) is a security quality of service (QoS) for web services applications. WS-Security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a web services environment.

WS-Security is provided as a Liberty feature. The WS-Security run time that is provided in Liberty is based on the Apache CXF open source services framework. The WS-Security feature in Liberty is limited by the features and function of the Apache CXF framework. WS-Security must be explicitly enabled by enabling the wsSecurity-1.1 feature. Make sure you also add the appSecurity-2.0, servlet-3.0(or servlet-3.1) and jaxws-2.2 features, and other required Liberty features to the server.xml file of Liberty.

WS-Security is configured by using the WS-SecurityPolicy within the WSDL file of a web service application. To protect your web service application with WS-Security, your JAX-WS application must contain a wsdl that has an embedded WS-Security policy. There must be a PolicyReference to the embedded WS-Security policy in either the wsdl:binding or wsdl:operation sections or both.