This topic explains how WS-Security policies are applied to the SOAP messages that pass between web services and web service controls.
A WS-Security is controlled in WS-Security policy files. One part of a WS-Security policy determines the security requirements for SOAP messages coming into a web service or web service control. This part of the policy determines what sorts of security mechanisms must be present in an inbound SOAP message in order to pass the security gate. The other part of a WS-Security policy determines the security enhancements to be added to outgoing SOAP messages before they are sent out over the wire. This part of the policy file determines the kinds of security mechanisms that a web service or web service control adds to SOAP messages (with an eye toward meeting the security requirements of the recipient).
WS-Security policies are configured in WSSE files, an XML file with the .WSSE extension. The <wsSecurityIn> element describes the security requirements for incoming SOAP messages; the <wsSecurityOut> element describes the security enhancements added to outgoing SOAP messages.
To apply a WS-Security policy to a web service, add the annotations @jws:ws-security-service and @jws:ws-security-callback to the web service file.
/** * @jws:ws-security-service file="MyWebServicePolicy.wsse" * @jws:ws-security-callback file="MyWebServicePolicy.wsse" */ public class MyWebService implements com.bea.jws.WebService
If the web service communicates synchronously with its clients, you only need to use the @jws:ws-security-service annotation. If the web service sends callbacks to its clients, you must use both annotations.
The following illustration shows how policy files are applied to the SOAP messages sent and received by web services.
To apply a policy file to a web service control, use the control annotations @jc:ws-security-service and @jc:ws-security-callback.
/** * @jc:ws-security-service file="TargetControlPolicy.wsse" * @jc:ws-security-callback file="TargetControlPolicy.wsse" */ public interface TargetControl extends com.bea.control.ControlExtension, com.bea.control.ServiceControl
If your web service control communicates synchronously with its target web service, you only need to use the @jc:ws-security-service annotation. If the control receives callbacks from its target service, you must use both annotations.
The following illustration shows how policy files are applied to the SOAP messages sent and received by web service controls.
WS-Security Policy File Elements
WS-Security Policy File Reference (WSSE File Reference)
@jws:ws-security-service Annotation
@jws:ws-security-callback Annotation
@jc:ws-security-service Annotation
@jc:ws-security-callback Annotation