Conguring Message Security
Some of the material in this chapter assumes a basic understanding of security and web services
concepts. This chapter describes the conguration of message layer security for web services in
the Enterprise Server. This chapter contains the following topics:
■
“Overview of Message Security” on page 127
■
“Understanding Message Security in the Enterprise Server” on page 128
■
“Securing a Web Service” on page 132
■
“Securing the Sample Application” on page 133
■
“Conguring the Enterprise Server for Message Security” on page 133
■
“Message Security Setup” on page 137
Overview of Message Security
In message security, security information is inserted into messages so that it travels through the
networking layers and arrives with the message at the message destination(s). Message security
diers from transport layer security (which is discussed in the Security chapter of the Java EE
5.0 Tutorial) in that message security can be used to decouple message protection from message
transport so that messages remain protected after transmission.
Web Services Security: SOAP Message Security (WS-Security) is an international standard for
interoperable Web Services Security that was developed in OASIS by a collaboration of all the
major providers of web services technology (including Sun Microsystems). WS-Security is a
message security mechanism that uses XML Encryption and XML Digital Signature to secure
web services messages sent over SOAP. The WS-Security specication denes the use of various
security tokens including X.509 certicates, SAML assertions, and username/password tokens
to authenticate and encrypt SOAP web services messages.
The WS-Security specication can be viewed at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
10
CHAPTER 10
127