XWSS 2.0 on java.net
By ashutoshshahi on Mar 27, 2006
What's New in This Release
The following features are new to the 2.0 FCS release of XWS-Security:
- Support for Securing JAXWS 2.0 applications. Serveral
demonstrating how to secure JAXWS 2.0 applications are located in
- Support for Securing SOAP 1.2 Applications.
- Partial support for WS-I Basic Security Profile (BSP) 1.0. The Current Limitations section includes a list of unsupported BSP assertions.
- Improved Overall Performance from XWS-Security 2.0 and an
option to specify a boolean shema attribute named
optimizeon <xwss:JAXRPCSecurity> configuration element that allows certain common security usecases to be optimized under JAXWS 2.0.
- Refined, Simplified and Stable Programmatic APIs (over what
present in previous releases). These APIs can be used by standalone
SAAJ based applications for securing SOAP Message exchanges.
Refer javadocs and sample located at
- Refined Dynamic Policy support over what was present in
previous releases. Refer javadocs and sample located at
- API to obtain runtime properties set on a JAXRPC Stub or a JAXWS BindingProvider inside a Callback. The runtime properties can be used by the callbackhandler to make dynamic decisions about the returned keys and security policies.
- The special QNAME constant SOAP-BODY can now be used in XWS-Security configuration files to indicate a SOAP 1.1 or a SOAP 1.2 Body. For example one can write the following configuration to sign the SOAP Body irrespective of the SOAP Protocol.
<xwss:SignatureTarget type="qname" value="SOAP-BODY"/>
What This Release Includes
This release includes the following XML and Web Services Security (XWS-Security) features:
- Support for securing JAXWS, JAX-RPC and SAAJ applications.
- A security framework within which a JAXWS or JAX-RPC application developer will be able to secure applications by signing/verifying and/or encrypting/decrypting parts of a SOAP message and/or message Attachments. The message sender can make claims about the security properties by associating security tokens with the message. An example of a security claim is the identity of the sender, identified using user name and password.
- Web Services Security (WSS) interoperability scenarios.
be able to send and receive messages compliant with the WSS Soap
Message Security specification. Developers can use the framework to
implement applications which have security requirements similar to
those defined in the WSS interoperability scenarios. More information
scenarios can be found at
Draft Spec for Interop1 (draft 5),
Final Spec for Interop2 (draft 6), or from the Oasis home page.
This release includes samples that demonstrate the following WSS interoperability scenarios:
- WSS Interop Scenarios 1, 2, 3, 4, 5, and 6 are demonstrated
- SwA Interop Scenarions 1, 2, 3, and 4 are demonstrated in the
- SAML Interop Scenarios 1, 3, and 4 are demonstrated in the
- WSS Interop Scenarios 1, 2, 3, 4, 5, and 6 are demonstrated in the
- XWS-Security APIs for securing applications that make use of SAAJ
APIs only. Developers who are using plain SAAJ (and not JAX-RPC) can
make use of these APIs in conjunction with XWS-Security to secure their
SOAP messages. Refer javadocs and the sample
<jwsdp-install-dir>/xws-security/samples/saajsecurity for more details.
- Advanced Encryption Standard AES-256 is supported as a data encryption algorithm.