|
| |
| Sun Java System Application Server Enterprise Edition 8 2004Q4 XML and Web Services Security Guide | |
Web Services SecurityThis chapter describes using Web Services Security (WSS) for message-level security. In message-level security, security information travels along with the Web services message. WSS in the SOAP layer is the use of XML Encryption and XML Digital Signatures to secure SOAP messages. WSS profiles the use of various security tokens including X.509 certificates, SAML assertions, and username/password tokens to achieve this.
Message layer security differs from transport layer security (which is discussed in the Security chapter of the J2EE 1.4 Tutorial) in that message layer security can be used to decouple message protection from message transport so that messages remain protected after transmission, regardless of how many hops they travel on.
This implementation of WS-Security is based on the Oasis Web Services Security (WSS) specification, which can be viewed at the following URL:
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-soap-message-security-1.0.pdfSome of the material in this chapter assumes that you understand basic security concepts. To learn more about these concepts, we recommend that you explore the following resources before you begin this chapter.
The Java 2 Standard Edition discussion of security, which can be viewed from
http://java.sun.com/j2se/1.4.2/docs/guide/security/index.html
The J2EE 1.4 Tutorial chapter titled Security, which can be viewed from
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
This chapter contains the following sections: