Web services security and WebSphere Application Server - Express

WebSphere Application Server - Express Version 5.0.x support digital signature for Apache SOAP Version 2.3. However, the strategic direction for IBM is based on the Web services security specification, Web Services Security (WS-Security), proposed by IBM, Microsoft, and Verisign in April 2002. In Version 5.1, WebSphere Application Server - Express supports Web services security. The implementation is based on the IBM Web services engine.

Web services security is a SOAP message-level security specification that is used to support security token propagation, message integrity, and message confidentiality. One intent of the specification is to address interoperability between different implementations of Web services security.

To realize the benefits of Web services security, it is recommended that an implementation of the specification is integrated with underlying security mechanisms. This implementation is fully integrated with the WebSphere Application Server - Express security infrastructure. Authorization, for example, is based on the J2EE security model. When a user ID and password are embedded in a request message, authentication is performed with the user ID and password. If successful, a user identity is established in the context and further resource access is authorized on that identity. After the user ID and password are authenticated by the Web services security run time, a J2EE container performs authorization.

WebSphere Application Server - Express provides an implementation of the key features of Web services security based on the following specifications:

• Specification: Web Services Security (WS-Security) Version 1.0 05 April 2002
  (http://www-106.ibm.com/developerworks/webservices/library/ws-secure/)

• Web Services Security Addendum 18 August 2002
  (http://www-106.ibm.com/developerworks/webservices/library/ws-secureadd.html)

• Web Services Security: SOAP Message Security Working13 May 2003
  (http://www.oasis-open.org/committees/download.php/2314/WSS-SOAPMessageSecurity-13-050103-merged.pdf)

• Web Services Security: Username Token Profile Draft 2
  (http://www.oasis-open.org/apps/group_public/download.php/1003/documents/documents/WSS-Username-02-0223-merged.pdf)

The following list summarizes Web services security elements that are supported by WebSphere Application Server - Express:

• UsernameToken
  Both the user name and password for the BasicAuth authentication method and the user name for the identity assertion authentication method are supported. WebSphere Application Server - Express does not support the Password Digest, Nonce, and Created attributes.

• BinarySecurityToken
  X.509 certificates and LTPA can be imbedded, but there is no implementation to imbed Kerberos tickets. However, the binary token generation and validation are pluggable and are based on the Java Authentication and Authorization Service (JAAS) APIs. You can extend this implementation to generate and validate other types of binary security tokens.

• Signature
  The X.509 certificate is imbedded as a BinarySecurityToken and can be referenced by the SecurityTokenReference. WebSphere Application Server - Express does not support shared, key-based signature.

• Encryption
  Both the EncryptedKey and ReferenceList XML tags are supported. KeyIdentifier specifies public keys and KeyName identifies the secret keys. WebSphere Application Server - Express has the capability to map an authenticated identity to a key for encryption or use the signer certificate to encrypt the response message.

• Timestamp
  WebSphere Application Server - Express supports the Created and Expires attributes. The freshness of the message is checked only if the Expires attribute is present in the message. WebSphere Application Server - Express does not support the Received attribute, which is defined in the addendum. Instead, WebSphere Application Server - Express uses the TimestampTrace Received attribute, which is defined in the OASIS specification.

• XML based token
  You can insert and validate an arbitrary format of XML tokens into a message. This format mechanism is based on the JAAS APIs.

Signing and encrypting attachments is not supported in WebSphere Application Server - Express. However, WebSphere Application Server - Express signs and encrypts the following elements for the request message:

• XML digital signature
  • Body
  • Securitytoken
  • Timestamp

• XML encryption
  • Bodycontent
  • Usernametoken

• AuthMethod
  • BasicAuth
  • IDAssertion (From WebSphere Application Server - Express to another WebSphere Application Server
  • Signature
  • Lightweight Third Party Authentication (LTPA) on the server side
  • Other customer tokens

WebSphere Application Server - Express signs and encrypts the following elements for the response message:

• XML digital signature
  • Body
  • Timestamp

• XML encryption
  • Bodycontent

The namespaces used for sending a message were published by OASIS in draft 13, published on 13 May 2003. WebSphere Application Server - Express only uses these two name spaces for sending out requests and responses:

• http://schemas.xmlsoap.org/ws/2003/06/secext
• http://schemas.xmlsoap.org/ws/2003/06/utility

However, WebSphere Application Server - Express can also process these other name spaces for incoming requests and responses:

• April 2002 Specification
  • http://schemas.xmlsoap.org/ws/2002/04/secext

• August 2002 Addendum
  • http://schemas.xmlsoap.org/ws/2002/07/secext
  • http://schemas.xmlsoap.org/ws/2002/07/utility

WebSphere Application Server - Express provides the following capability for Web services security:

• Integrity of the message
• Authenticity of the message
• Confidentiality of the message
• Privacy of the message
• Transport level security: provided by Secure Sockets Layer (SSL)
• Security token propagation (pluggable)
• Identity assertion