10C H A P T E R 1 0

Configuring Message Security

Some of the material in this chapter assumes a basic understanding of security and web services concepts. This chapter describes the configuration of message layer security for web services in the Enterprise Server. This chapter contains the following topics:

“Overview of Message Security” on page 127

“Understanding Message Security in the Enterprise Server” on page 128

“Securing a Web Service” on page 132

“Securing the Sample Application” on page 133

“Configuring the Enterprise Server for Message Security” on page 133

“Message Security Setup” on page 137

Overview of Message Security

In message security, security information is inserted into messages so that it travels through the networking layers and arrives with the message at the message destination(s). Message security differs from transport layer security (which is discussed in the Security chapter of the Java EE

5.0Tutorial) in that message security can be used to decouple message protection from message transport so that messages remain protected after transmission.

Web Services Security: SOAP Message Security (WS-Security) is an international standard for interoperable Web Services Security that was developed in OASIS by a collaboration of all the major providers of web services technology (including Sun Microsystems). WS-Security is a message security mechanism that uses XML Encryption and XML Digital Signature to secure web services messages sent over SOAP. The WS-Security specification defines the use of various security tokens including X.509 certificates, SAML assertions, and username/password tokens to authenticate and encrypt SOAP web services messages.

The WS-Security specification can be viewed at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.

127

Page 127
Image 127
Sun Microsystems 820433510 manual Configuring Message Security, Overview of Message Security