|Home > Documentation > Developing > Tutorials > Developing Web services > Securing Web Service|
Web Service security (WS-security) is an SOAP-based security standard that provides Web services with message-level integrity, confidentiality and authentication.
With WS-security, the Simple Object Access Protocol (SOAP) message contains a SOAP header, which includes signature, encryption information, protocols for processing the secured information, and security tokens for credential propagation.
A WS-Security policy file (WSSE) is associated with a Web service so that both inbound and outbound SOAP messages are handled according to the security policy in the WSSE file.
Geronimo 2.2 has two WS-security providers: Axis2 for Tomcat Web container and CXF for Jetty. They enable the following WS-security features in Web service development for Geronimo:
In this guide, CXF/Jetty will be used as an example.
You can specify various properties using a <property> element in the <port> section in
geronimo-web.xml for a CXF/Jetty client.
To configure ws-security properties, you only need to prefix each property with a
wss4j.in file for inbound settings, or
wss4j.out for outbound settings. For example:
Geronimo allows the CXF/Jetty client to sendor receive the signed or encrypted SOAP messages. You can enable this feature inside <port> in the
geronimo-web.xml at client side. The following code snippet is an example for both signing and encrypting:
Geronimo CXF/Jetty provides support for UsernameToken Profile at server side. For example, to involve UsernameToken profile for the Web service CalculatorService, add the following lines in
Similarly, you can enable the service side to send or receive signed or encrypted SOAP messages by configuring the <port> section in
geronimo-web.xml. The following example passes security properties: