Ashutosh's Blog

What's New in This Release

The following features are new to the  2.0 FCS release of XWS-Security:

• Support for Securing JAXWS 2.0  applications. Serveral samples demonstrating how to secure JAXWS 2.0  applications are located in <jwsdp_install_dir>/xws-security/samples/jaxws2.0.
• Support for Securing SOAP 1.2 Applications.
  
• Partial support for WS-I Basic Security Profile (BSP) 1.0. The Current Limitations section includes a list of unsupported BSP assertions.
• Improved Overall Performance from XWS-Security 2.0 and an option to specify a boolean shema attribute named  optimize  on <xwss:JAXRPCSecurity> configuration element that allows certain common security usecases to be optimized under JAXWS 2.0.
• Refined, Simplified and Stable Programmatic APIs  (over what was present in previous releases). These APIs can be used by standalone SAAJ based applications for securing  SOAP Message exchanges. Refer javadocs and sample located at  <jwsdp-install-dir>/xws-security/samples/saajsecurity.
• Refined Dynamic Policy support  over what was present in previous releases. Refer javadocs and sample located at <jwsdp-install-dir>/xws-security/samples/dynamicpolicy.
• API  to obtain runtime properties set on a JAXRPC Stub or a JAXWS BindingProvider  inside a Callback. The runtime properties can be used by the callbackhandler to make dynamic decisions about the returned keys and security policies.
• The special QNAME constant  SOAP-BODY can now be used in XWS-Security configuration files to indicate a SOAP 1.1 or a SOAP 1.2 Body. For example one can write the following configuration to sign the SOAP Body irrespective of the SOAP Protocol.

What This Release Includes

This release includes the following XML and Web Services Security (XWS-Security) features:

• Support for securing JAXWS, JAX-RPC and SAAJ applications.
  
• A  security framework within which a JAXWS or JAX-RPC application developer will be able to secure applications by signing/verifying and/or encrypting/decrypting parts of a SOAP message and/or message Attachments. The message sender can make claims about the security properties by associating security tokens with the message. An example of a security claim is the identity of the sender, identified using user name and password.
• Web Services Security (WSS) interoperability scenarios. Developers will be able to send and receive messages compliant with the WSS Soap Message Security specification. Developers can use the framework to implement applications which have security requirements similar to those defined in the WSS interoperability scenarios. More information on the scenarios can be found at Draft Spec for Interop1 (draft 5), Final Spec for Interop2 (draft 6), or from the Oasis home page.

  This release includes samples that demonstrate the following WSS interoperability scenarios:

  • WSS Interop Scenarios 1, 2, 3, 4, 5, and 6 are demonstrated in the simple sample.
  • SwA Interop Scenarions 1, 2, 3, and 4 are demonstrated in the swainterop sample.
  • SAML Interop Scenarios 1, 3, and 4 are demonstrated in the samlinterop sample.
• XWS-Security APIs for securing applications that make use of SAAJ APIs only. Developers who are using plain SAAJ (and not JAX-RPC) can make use of these APIs in conjunction with XWS-Security to secure their SOAP messages.  Refer javadocs and the sample <jwsdp-install-dir>/xws-security/samples/saajsecurity for more details.

• Advanced Encryption Standard AES-256 is supported as a data encryption algorithm.