Web Services Security at the message level
Web services message level security (Web Services Security or WS-Security) is a security quality of service (QoS) for web services applications. WS-Security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a web services environment.
WS-Security is provided as a Liberty
feature. The WS-Security run time that is provided in Liberty is based on the Apache CXF open source
services framework. The WS-Security feature in Liberty is limited by the features and function
of the Apache CXF framework. WS-Security must be explicitly enabled by enabling the
wsSecurity-1.1
feature. Make sure you also add the
appSecurity-2.0
, servlet-3.0
(or servlet-3.1
) and
jaxws-2.2
features, and other required Liberty features to the
server.xml file of Liberty.
WS-Security is configured by using the WS-SecurityPolicy within the WSDL file of a web service
application. To protect your web service application with WS-Security, your JAX-WS application must
contain a wsdl that has an embedded WS-Security policy. There must be a PolicyReference to the
embedded WS-Security policy in either the wsdl:binding
or
wsdl:operation
sections or both.