90 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Identity assertion (ID assertion) is a mechanism that allows the propagation of an
already authenticated identity from one server to another. The receiver can
assume that the identity has been authenticated because he trusts the sender.
This is particularly well suited for end-to-end security solutions.
WS-Security supports the following trust modes with a downstream server:
Basic authentication: The asserting server authenticates itself, sending a user
name and password in the SOAP header, in addition to the transmitted
Digital signature: The asserted identity is transmitted digitally signed by the
asserting server, along with the asserting server x.509 certificate. This
provides both for data integrity of the transmitted asserted identity and for
authentication of the sender.
Presumed trust: In this case, communication flows inside a secure channel or
uses a secure transport protocol so that the asserting server does not need to
provide authentication data at the SOAP message level. Typically, this can be
achieved using HTTP as the transport protocol with SSL/TLS client (the client
is the asserting server) authentication.
Section 6.5, “Identity assertion” on page 192, describes in detail how to configure
WS-Security identity assertion with WebSphere Application Server for z/OS.
5.5 Web services transport layer security
In this section, the different transport options for Web services are presented
along with the uses of each transport and how security can be applied.
5.5.1 Web services transports introduction
Web services can communicate using different transport mechanisms. The
transport mechanisms build upon or are combinations of other protocols or APIs.
The listed terms are provided to help facilitate describing how Web services
builds upon or utilizes existing protocols and APIs.
Simple Object Access Protocol (SOAP) is a protocol for exchanging XML
messages over a computer network.
Hypertext Transfer Protocol (HTTP) is a protocol for transferring hypertext,
files, Web pages, and Web page components over the Internet or computer
Chapter 5. Web services security introduction 91
Secure Sockets Layer (SSL) is a cryptographic protocol to provide secure
communication over the Internet. SSL makes use of symetric or assymetric
key encryption, and can provide client certificate authentication (mutual
Hyptertext Transfer protocol over SSL (HTTPS) is a combination of HTTP
communication over an encrypted SSL connection.
Java Message Service (JMS) is a set of standard APIs for accessing
enterprise messaging systems using Java programs. JMS supports the
publish/subscribe and point-to-point messaging, and is included in the J2EE
Remote Method Invocation over Internet Inter-ORB Protocol (RMI-IIOP) is
the use of Java Remote Method Invocation (RMI) interfaces over the IIOP
(CORBA) protocol. This is used for remote EJB calls, for example.
Java API for XML based Remote Procedure Call (JAX-RPC) is a
transport-neutral process for performing XML-based remote procedure calls
SOAP is transport-independent and can be bound to any protocol. SOAP over
HTTP is a commonly used tranport protocol for Web services communication.
WebSphere also supports two other transport mechanisms for Web services
such as SOAP over JMS and RMI-IIOP with multiprotocol JAX-RPC. The
different transport options for Web services communication are summarized with
the pros and cons of each.
SOAP over HTTP
The SOAP over HTTP protocol is one of the most widely used transport protocols
for implementing Web services. HTTP is a request/response protocol between
client and server. HTTP is commonly used between client browsers and Web
servers for transferring files and Web content. The client usually initiates a
request by establishing a TCP/IP connection to a remote host using a
predetermined host name and port number. The host name and port may be
stored in the form of a
Universal Resource Identifier (URI). The server listening
on the port waits for the client to send a request message, and responds with an
HTTP response message and status code. The body of the message can
comprise text data, error code, or some other information. A Web service can
send a SOAP message over the HTTP protocol (SOAP over HTTP) for client
server communication leveraging the benefits of HTTP.
There are certain advantages to using SOAP over HTTP for Web services. The
HTTP protocol is widely used in most Internet communication on various
platforms. SOAP over HTTP can be implemented in different programming
languages, allowing Web services to be portable and interoperable across
platforms. In J2EE, support for SOAP over HTTP has been standardized with the