Implementation Version: FCS 1.0
This XML and Web Services Security implementation, included as part of the JavaTM Web Services Developer Pack 1.5, provides a framework within which a JAX-RPC application developer will be able to secure applications in the following ways:
This implementation of XML and Web Services Security uses Apache's XML-DSig (XML Digital Signature) implementation, which is based on the XML-Signature Syntax and Processing W3C standard.
Samples containing code for signing and/or verifying parts of the SOAP message are included with this release.
This implementation of XML and Web Services Security uses Apache's XML-Enc (XML Encryption) implementation, which is based on the XML Encryption W3C standard.
Samples containing code for encrypting and/or decrypting parts of the SOAP message are included with this release.
These tokens can be used to bind the identity of the token (and any other claims occurring in the security token) to the message containing the token.
This implementation of XML and Web Services Security provides support for Username Token Profile, which is based on OASIS WSS Username Token Profile 1.0, and X509 Certificate Token Profile, which is based on OASIS WSS X509 Certificate Token Profile 1.0.
Samples containing code for sending user name and X509 certificate tokens along with the SOAP message are included with this release.
This implementation of XML and Web Services Security fully supports the implementation of Web Services Security (WSS) Interop scenarios. The following are some of the interoperability scenarios documents that are supported by this implementation:
Since the Java standards for some of these security technologies are undergoing definition under the Java Community Process, the security solution that is provided in the Java Web Services Developer Pack 1.5 is based on nonstandard APIs, which are subject to change with new revisions of the technology. As standards are defined in the Web Services Security space, we will be moving toward using the appropriate standard APIs instead of these nonstandard APIs.
This distribution includes samples that show how a JAX-RPC application developer can use the XML and Web Services Security technology. As previously noted, these nonstandard APIs are subject to change and will be replaced with appropriate standards-based APIs as those APIs are defined.
XWS-Security APIs are used for securing Web services based on JAX-RPC. This release of XWS-Security is based on non-standard XML Digital Signature and XML Encryption APIs.
JSR-105 (XML Digital Signature APIs) are included in this release of the JWSDP as well. JSR 105 is a standard API (in progress, at Proposed Final Draft stage) for generating and validating XML Signatures as specified by the W3C recommendation. It is an API that should be used by Java applications and middleware that need to create and/or process XML Signatures. It can be used by Web Services Security (which is the goal for a future release) and by non-Web Services technologies, for example, documents stored or transferred in XML. Both JSR 105 and JSR 106 (XML Digital Encryption APIs) are core-XML security components.
XWS-Security does not use the JSR 105 or JSR 106 APIs. XWS-Security uses the Apache libraries for DSig and XML-Enc. In future releases, the goal of XWS-Security is to move toward using JSR 105 and JSR 106 APIs.
In this release, the following command-line tools are included:
pkcs12import
This tool helps with importing the contents (key/certificate pair) of a PKCS-12 file into a keystore.
keyexport
This tool can be used to export the private key corresponding to a specified entry of a keystore into a file.
The documentation for this release consists of the following:
Please send questions, comments, and feedback to users@jwsdp.dev.java.net.
Due to the high volume of e-mail received on these aliases, you may not receive an immediate response to your inquiry.