background image

Using Application Server WS-Security

<< message-security-binding element | Java WSDP XWSS Security >>
<< message-security-binding element | Java WSDP XWSS Security >>
246
S
ECURING
W
EB
S
ERVICES
·
response-protection
: This element defines the authentication policy
requirements of the application's response processing. It has attributes
of
auth-source
and
auth-recipient
to define what type of protection
is applied and when it is applied.
·
auth-source
: This attribute specifies the type of required authentica-
tion, either
sender
(user name and password) or
content
(digital sig-
nature). This is an attribute of the
request-protection
and
response-
protection
elements.
·
auth-recipient
: This attribute specifies whether recipient authentica-
tion occurs before or after content authentication. Allowed values are
before-content
and
after-content
. This is an attribute of the
request-protection
and
response-protection
elements.
For more detailed information on configuring application-specific web services
security, refer to the Application Server's Developer's Guide. For more detailed
information on the elements used for message security binding, read the Appli-
cation Server's Application Deployment Guide. For a link to these documents,
see Further Information (page 251).
Example: Using Application Server WS-
Security
The Application Server ships with sample applications named
xms
and
xms_apl_lvl
. Both applications features a simple web service that is imple-
mented by both a Java EE EJB endpoint and a Java Servlet endpoint. Both end-
points share the same service endpoint interface. The service endpoint interface
defines a single operation,
sayHello
, which takes a
String
argument, and
returns a
String
composed by pre-pending
Hello
to the invocation argument.
· The
xms
application shows how to enable message layer security at the
Application Server level by enabling the Application Server's default mes-
sage security providers. In this case, web services are protected using
default configuration files and default WSS providers.
· The
xms_apl_lvl
application shows how to enable message layer security
at the application level by modifying the runtime deployment descriptor
(
sun-ejb-jar.xml
or
sun-web.xml
). In this case, you can selectively
specify when/how message layer security can be applied to a specific
method (or for all methods) in a web service.
The instructions which accompany the sample describe how to enable the WS-
Security functionality of the Application Server such that it is used to secure the