1 Overview of Web Services Security

The chapter describes how to configure security for your WebLogic Web service.

This chapter includes the following sections:

Overview of Web Services Security

To secure your WebLogic Web service, you configure one or more of three different types of security.

Table 1-1 Web Services Security

Security Type Description

Message-level security

Data in a SOAP message is digitally signed or encrypted. May also include identity tokens for authentication. See Chapter 2, "Configuring Message-Level Security".

Transport-level security

SSL is used to secure the connection between a client application and the Web service. See Chapter 3, "Configuring Transport-Level Security".

Access control security

Specifies which roles are allowed to access Web services. See Chapter 4, "Configuring Access Control Security (JAX-RPC Only)".


What Type of Security Should You Configure?

Message-level security includes all the security benefits of SSL, but with additional flexibility and features. Message-level security is end-to-end, which means that a SOAP message is secure even when the transmission involves one or more intermediaries. The SOAP message itself is digitally signed and encrypted, rather than just the connection. And finally, you can specify that only individual parts or elements of the message be signed, encrypted, or required.Transport-level security, however, secures only the connection itself. This means that if there is an intermediary between the client and WebLogic Server, such as a router or message queue, the intermediary gets the SOAP message in plain text. When the intermediary sends the message to a second receiver, the second receiver does not know who the original sender was. Additionally, the encryption used by SSL is "all or nothing": either the entire SOAP message is encrypted or it is not encrypted at all. There is no way to specify that only selected parts of the SOAP message be encrypted. Message-level security can also include identity tokens for authentication.

Transport-level security secures the connection between the client application and WebLogic Server with Secure Sockets Layer (SSL). SSL provides secure connections by allowing two applications connecting over a network to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. A client certificate (two-way SSL) can be used to authenticate the user.

Encryption makes data transmitted over the network intelligible only to the intended recipient.

Transport-level security includes HTTP BASIC authentication as well as SSL.

Access control security answers the question "who can do what?" First you specify the security roles that are allowed to access a Web service; a security role is a privilege granted to users or groups based on specific conditions. Then, when a client application attempts to invoke a Web service operation, the client authenticates itself to WebLogic Server, and if the client has the authorization, it is allowed to continue with the invocation. Access control security secures only WebLogic Server resources. That is, if you configure only access control security, the connection between the client application and WebLogic Server is not secure and the SOAP message is in plain text.