Does XWS-Security Implement Any Specifications?

XWS-Security is an implementation of the Web Services Security (WSS) specification developed at OASIS. WSS defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication. WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

The WSS specification defines an end to end security framework that provides support for intermediary security processing. Message integrity is provided by using XML Signature in conjunction with security tokens to ensure that messages are transmitted without modifications. Message confidentiality is granted by using XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential.

In this release, the XWS-Security framework provides the following options for securing JAX-RPC applications:

On Which Technologies Is XWS-Security Based?

XWS-Security APIs are used for securing Web services based on JAX-RPC and on stand-alone applications based on SAAJ. This release of XWS-Security is based on standard XML Digital Signature and non-standard XML Encryption APIs, which are subject to change with new revisions of the technology. As standards are defined in the Web Services Security space, the non-standard APIs will be replaced with standards-based APIs.

JSR-105 (XML Digital Signature) APIs are included in this release of the Java WSDP. JSR 105 is a standard API (in progress, at Proposed Final Draft) for generating and validating XML Signatures as specified by the W3C recommendation. It is an API that should be used by Java applications and middleware that need to create and/or process XML Signatures. It is used by this release of Web Services Security and can be used by non-Web Services technologies, for example, documents stored or transferred in XML. Both JSR-105 and JSR-106 (XML Digital Encryption) APIs are core-XML security components.

XWS-Security does not use the JSR-106 APIs because, currently, the Java standards for XML Encryption are undergoing definition under the Java Community Process. This Java standard is JSR-106-XML Digital Encryption APIs, which you can read at

XWS-Security uses the Apache libraries for XML-Encryption. In future releases, the goal of XWS-Security is to move toward using the JSR-106 APIs.

Table 4-2 shows how the various technologies are stacked upon one another:

Table 4-2  API/Implementation Stack Diagram
JSR-105 XML Signature and W3C XML Encryption Specifications
(W3C spec. may be replaced with JSR-106 in a future release)
Apache XML Security implementation.
J2SE Security (JCE/JCA APIs)

The Apache XML Security project is aimed at providing implementation of security standards for XML. Currently the focus is on the W3C standards. More information on Apache XML Security can be viewed at: 

Java security includes the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA). JCE and JCA form the foundation for public key technologies in the Java platform. The JCA API specification can be viewed at The JCE documentation can be viewed at

Interoperability with Other Web Services

One of the goals of XML and Web Services Security technology is to enable applications to be able to securely interoperate with clients and web service endpoints deployed on other Java application servers and other web services platforms.

To accomplish this interoperability, an open industry organization, Web Services-Interoperability (WS-I) Organization, was chartered to promote Web services interoperability across platforms, operating systems, and programming languages. WS-I is developing an interoperability profile, WS-I Basic Security Profile 1.0 (BSP), that deals with transport security, SOAP messaging security, and other Basic-Profile-oriented Web services security considerations. XWS-Security EA 2.0 provides partial support for BSP (complete support is planned for the FCS release of 2.0.)

What is Basic Security Profile (BSP)?

In terms of XWS-Security, Basic Security Profile (BSP) support means that BSP-compliant requests will be generated and BSP-compliant requests will be accepted.

BSP restrictions and rules are only applicable for those features explicitly supported by XWS-Security. For outgoing messages, BSP-compliant messages are created by default. The only instance where BSP-compliant messages are not created by default is in the case of exclusive canonicalization transform in signatures. For performance reasons, this transform is not added by default, but can be added explicitly to the list of transforms.

For incoming messages, you can set the compliance attribute to bsp if you want to check for compliance in messages received from other applications or implementations. Non-compliant incoming messages are flagged when this option is set.