Does XWS-Security Implement Any Specifications?

XWS-Security is an implementation of the Web Services Security (WSS) specification developed at OASIS. WSS defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication. WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

The WSS specification defines an end to end security framework that provides support for intermediary security processing. Message integrity is provided by using XML Signature in conjunction with security tokens to ensure that messages are transmitted without modifications. Message confidentiality is granted by using XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential.

In this release, the XWS-Security framework provides the following options for securing JAX-RPC applications:

XML Digital Signature (DSig)

This implementation of XML and Web Services Security uses Apache's XML-DSig implementation, which is based on the XML Signature specification, which can be viewed at http://www.w3.org/TR/xmldsig-core/.

Samples containing code for signing and/or verifying parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Understanding and Running the Simple Sample Application for more information on these sample applications.

XML Encryption (XML-Enc)

This implementation of XML and Web Services Security uses Apache's XML-Enc implementation, which is based on the XML Encryption W3C standard. This standard can be viewed at http://www.w3.org/TR/xmlenc-core/.

Samples containing code for encrypting and/or decrypting parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Understanding and Running the Simple Sample Application for more information on these sample applications.

UsernameToken Verification

Username token verification specifies a process for sending UserNameTokens along with the message. The receiver can validate the identity of the sender by validating the digital signature sent by the sender. A digital signature internally refers to a security token (for example, an X.509 Certificate Token) to indicate the key used for signing. Sending these tokens with a message binds the identity of the tokens (and any other claims occurring in the security token) to the message.

This implementation of XML and Web Services Security provides support for Username Token Profile, which is based on OASIS WSS Username Token Profile 1.0 (which can be read at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf) and X.509 Certificate Token Profile, which is based on OASIS WSS X.509 Certificate Token Profile 1.0 (which can be read at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf).

Samples containing code for sending user name and X.509 certificate tokens along with the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Understanding and Running the Simple Sample Application for more information on these sample applications.

On Which Technologies Is XWS-Security Based?

XWS-Security APIs are used for securing Web services based on JAX-RPC. This release of XWS-Security is based on non-standard XML Digital Signature and XML Encryption APIs, which are subject to change with new revisions of the technology. As standards are defined in the Web Services Security space, these nonstandard APIs will be replaced with standards-based APIs.

JSR-105 (XML Digital Signature) APIs are included in this release of the Java WSDP as well. JSR 105 is a standard API (in progress, at Proposed Final Draft) for generating and validating XML Signatures as specified by the W3C recommendation. It is an API that should be used by Java applications and middleware that need to create and/or process XML Signatures. It can be used by Web Services Security (which is the goal for a future release) and by non-Web Services technologies, for example, documents stored or transferred in XML. Both JSR-105 and JSR-106 (XML Digital Encryption) APIs are core-XML security components.

XWS-Security does not use the JSR-105 or JSR-106 APIs because, currently, the Java standards for XML Digital Signatures and XML Encryption are undergoing definition under the Java Community Process. These Java standards are JSR-105-XML Digital Signature APIs, which you can read at http://www.jcp.org/en/jsr/detail?id=105 and JSR-106-XML Digital Encryption APIs, which you can read at http://www.jcp.org/en/jsr/detail?id=106.

XWS-Security uses the Apache libraries for DSig and XML-Enc. In future releases, the goal of XWS-Security is to move toward using JSR-105 and JSR-106 APIs.

Table 3-2 API/Implementation Stack Diagram
XWS-Security
JSR-105 & JSR-106 (possible in future release)
Apache XML Security implementation (current implementation, however this can easily be replaced or swapped, because the JSRs are provider-based)
J2SE Security (JCE/JCA APIs)

The Apache XML Security project is aimed at providing implementation of security standards for XML. Currently the focus is on the W3C standards. More information on Apache XML Security can be viewed at:

Java security includes the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA). JCE and JCA form the foundation for public key technologies in the Java platform. The JCA API specification can be viewed at http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html. The JCE documentation can be viewed at http://java.sun.com/products/jce/reference/docs/index.html.