Does XWS-Security Implement Any Specifications?

XWS-Security is an implementation of the Web Services Security (WSS) specification developed at OASIS. WSS defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication. WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

The WSS specification defines an end to end security framework that provides support for intermediary security processing. Message integrity is provided by using XML Signature in conjunction with security tokens to ensure that messages are transmitted without modifications. Message confidentiality is granted by using XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential.

In this release, the XWS-Security framework provides the following options for securing JAX-RPC applications:

XML Digital Signature (DSig)

This implementation of XML and Web Services Security uses JSR-105 (XML Digital Signature APIs) for signing and verifying parts of a SOAP message or attachment. JSR-105 can be viewed at http://www.jcp.org/en/jsr/detail?id=105

Samples containing code for signing and/or verifying parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Simple Security Configurations Sample Application for more information on these sample applications.

XML Encryption (XML-Enc)

This implementation of XML and Web Services Security uses Apache's XML-Enc implementation, which is based on the XML Encryption W3C standard. This standard can be viewed at http://www.w3.org/TR/xmlenc-core/.

Samples containing code for encrypting and/or decrypting parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Simple Security Configurations Sample Application for more information on these sample applications.

UsernameToken Verification

Username token verification specifies a process for sending UserNameTokens along with the message. Sending these tokens with a message binds the identity of the tokens (and any other claims occurring in the security token) to the message.

This implementation of XML and Web Services Security provides support for Username Token Profile, which is based on OASIS WSS Username Token Profile 1.0 (which can be read at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf) and X.509 Certificate Token Profile, which is based on OASIS WSS X.509 Certificate Token Profile 1.0 (which can be read at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf).

Samples containing code for sending user name and X.509 certificate tokens along with the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Simple Security Configurations Sample Application for more information on these sample applications.

XWS-Security Framework APIs

This implementation of XML and Web Services Security provides APIs that can be used to secure stand-alone Web services applications as well as JAX-RPC applications. These new APIs can be used to secure an outbound SOAPMessage and verify the security in an inbound SOAPMessage.

Because some of the Java standards for XWS-Security technologies are currently undergoing definition under the Java Community Process, the security solution that is provided in Java WSDP 1.6 is based on non-standard APIs, which are subject to change with new revisions of the technology.

To insulate stand alone XWS-Security users from the possible changes in the internal APIs, this release includes a sample interface definition that abstracts out some of the internal implementation details.

Samples containing code for using these APIs are included with this release in the directory <JWSDP_HOME>/xws-security/samples/api-sample/. Read XWS-Security APIs Sample Application for more information on this sample application.

On Which Technologies Is XWS-Security Based?

XWS-Security APIs are used for securing Web services based on JAX-RPC and on stand-alone applications based on SAAJ. This release of XWS-Security is based on standard XML Digital Signature and non-standard XML Encryption APIs, which are subject to change with new revisions of the technology. As standards are defined in the Web Services Security space, the non-standard APIs will be replaced with standards-based APIs.

JSR-105 (XML Digital Signature) APIs are included in this release of the Java WSDP. JSR 105 is a standard API (in progress, at Proposed Final Draft) for generating and validating XML Signatures as specified by the W3C recommendation. It is an API that should be used by Java applications and middleware that need to create and/or process XML Signatures. It is used by this release of Web Services Security and can be used by non-Web Services technologies, for example, documents stored or transferred in XML. Both JSR-105 and JSR-106 (XML Digital Encryption) APIs are core-XML security components.

XWS-Security does not use the JSR-106 APIs because, currently, the Java standards for XML Encryption are undergoing definition under the Java Community Process. This Java standard is JSR-106-XML Digital Encryption APIs, which you can read at http://www.jcp.org/en/jsr/detail?id=106.

XWS-Security uses the Apache libraries for XML-Encryption. In future releases, the goal of XWS-Security is to move toward using the JSR-106 APIs.

Table 4-2 API/Implementation Stack Diagram
XWS-Security
JSR-105 XML Signature and W3C XML Encryption Specifications (W3C spec. may be replaced with JSR-106 in a future release)
Apache XML Security implementation.
J2SE Security (JCE/JCA APIs)

The Apache XML Security project is aimed at providing implementation of security standards for XML. Currently the focus is on the W3C standards. More information on Apache XML Security can be viewed at:

Java security includes the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA). JCE and JCA form the foundation for public key technologies in the Java platform. The JCA API specification can be viewed at http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html. The JCE documentation can be viewed at http://java.sun.com/products/jce/reference/docs/index.html.

Interoperability with Other Web Services

One of the goals of XML and Web Services Security technology is to enable applications to be able to securely interoperate with clients and web service endpoints deployed on other Java application servers and other web services platforms.

What is Basic Security Profile (BSP)?

In terms of XWS-Security, Basic Security Profile (BSP) support means that BSP-compliant requests will be generated and BSP-compliant requests will be accepted.

BSP restrictions and rules are only applicable for those features explicitly supported by XWS-Security. For outgoing messages, BSP-compliant messages are created by default. The only instance where BSP-compliant messages are not created by default is in the case of exclusive canonicalization transform in signatures. For performance reasons, this transform is not added by default, but can be added explicitly to the list of transforms.

For incoming messages, you can set the compliance attribute to bsp if you want to check for compliance in messages received from other applications or implementations. Non-compliant incoming messages are flagged when this option is set.