Web Service wsse security implementation

Question

I am creating a web service using IBM JAX-RPC/JAX-WS. I am trying to implement the wsse security but not able to figure out the exact steps for achieving the same. I will be using RSA 7.5 and Websphere 7 for this web service.

Reading the documentation, I was totally lost since I am new to it and don't have any idea about the same.

Can someone list me the steps for how to implement the wsse security for the web service?

I have been struggling on this since past few days.

EDIT

I want the authentication to be done in the header, it should look something like this:

<header>
    <authenticationInfo>
        <userID></userID>
        <password></password>
    </authenticationInfo>
</header>

Other than using the handler and altering the header content, is there some other way to achieve the same?

Answer 1

For web services (SOAP based), the security part is generally handled by web services handlers. Handlers are applicable for both the client and server side. For typical security use case,

1. On client side, the handlers intercept the request before being send to server and inserts a security header in the SOAP message.
2. On server side, the handlers intercept the request and check for the SOAP request contains appropriate security headers. This happens before it handled by request handlers.

Here is a nice link on WS security in general I came across. Its not IBM or java specific but an informative read nevertheless.

To answer you question for step by step guide, I could not find any standard RSA 7.5 specific articles but since JAX-RPC is standard specification, it should be same. Here is once such example (Part1,Part2)

Answer 2

WebSphere has built-in support for WS-Security. See http://publib.boulder.ibm.com/infocenter/radhelp/v7r5/topic/com.ibm.webservice.wsfp.doc/topics/csecurews.html.