The Application Server conforms to the WSS Soap Message Security specification, which can be viewed from the URL http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf. This specification is used in the Application Server’s underlying implementation of Web Services Security.
Some of the terminology used in this document is described in the WSS specification, and is summarized here. The concepts are also discussed in "Configuring the Application Server for Message Security".
The authentication layer is the message layer on which authentication processing must be performed.
In this release of the Sun Java Systems Application Server, the Application Server invokes authentication providers to process SOAP message layer security.
The default server provider is used to identify the server provider to be invoked for any application for which a specific server provider has not been bound.
The default client provider is used to identify the client provider to be invoked for any application for which a specific client provider has not been bound.
The request policy defines the authentication policy requirements associated with request processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
Read "Actions of Request and Response Policy Configurations" for more information on request policies.
The response policy defines the authentication policy requirements associated with response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
To achieve message security, the request and response policies must be enabled on both the server and client. These policies are configured based on the type of authentication policies to be used. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.
Developers can define application-specific protection policy (as opposed to overriding the default) by defining a message security binding in the Sun-specific application deployment descriptors. For more information on this topic, refer to the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".
Read "Actions of Request and Response Policy Configurations" for more information on response policies.
The authentication providers can perform multiple sign/encrypt operations when a corresponding flag is set on the request and/or response policies. The rules for mapping are as shown in Table 0-2.
See Also: