Google Summer of Code 2009 – Project Proposal

Subject ID



WS-Security support for JAX-WS Web Services





To integrate and enable the WS-Security features of Apache Axis2 and Apache CXF in Apache Geronimo

Project Description

Apache Geronimo supports two JAX-WS providers: Axis2 and CXF and both of these libraries have some WS-Security features. But these features are not integrated/enabled in Geronimo. So the goal is to enable these features from within Geronimo. That involves basically two things:

1) that the modules (i.e. WSS4J) that provide the WS-Security features for Axis2 and CXF are installed with Geronimo, and

2) that the WS-Security features such as [XML Security ('XML Signature' - allows one to send along with the message a digital signature of it, which assures that no one modified the message content between the sender and receiver, 'XML Encryption' -allows one to encrypt the message body or only its part using the given cryptography algorithm) and Tokens ('Username Tokens' - WS-Security scenario adds username and password values to the message header, 'Timestamps' - Timestamps specify how long the security data remains valid, 'SAML Tokens')] can be enabled and configured on web services via Geronimo deployment descriptors and/or annotations. For example, given some web service that is annotated with @WebService; so to ensure that the service only accepts WS-Security -secured messages, it should be something like “to add @WS-Security annotation”.

Further in detail, we can consider WS-Security policies which can be applied to the SOAP messages that pass between web services and web service controls. A WS-Security is controlled in WS-Security policy files. The WS-Security policy file (WSSE file) defines the security policy applied to the SOAP messages that pass between web services and their clients.[1]

So we can use something like following annotation @WS-Security file="MyWebServicePolicy.wsse" Example: @WebService @WS-Security file="MyWebServicePolicy.wsse"

public class xyz

The @WS-Security annotation determines the WS-Security policy file (WSSE) to be applied to (1) incoming SOAP invocations of the web service's methods and (2) the outgoing SOAP messages containing the value returned by the web service's methods.[1]. The attribute file in the above mentioned annotation specifies the path to the WS-Security policy file (WSSE file - MyWebServicePolicy.wsse) used by the web service.

Besides configuring WS-Security properties for web services we also need to configure the same sort of properties for Web Service references (@WebServiceRef) so that clients can also make WS-Security secured calls.

In addition, I think we can also define some security feature something like SecurityFeature similar to other WebService Feature(s) such as AddressingFeature, MTOMFeature and RespectBindingFeature . This new feature can also have the “enabled property” like other features that is used to store whether a particular feature should be enabled or disabled. This type should provide either a constructor argument and/or a method that will allow the web service developer to set the enabled property. The meaning of enabled or disabled is determined by each individual WebServiceFeature. It is important that web services developers be able to enable/disable specific features when writing their web applications. [2]

Rough Timeline

April 20 - May 05

-Studying about WS-Support in both Apache CXF and Apache Axis2. -Doing some research on the Web Servers available in the market about enabling the WS-Security (about using or not using WS-SecurityPolicy). -Posting ideas on maining list and come to conclusion that what should be correct way in all terms.

06 May - 16 June

- Adding basic WS-Security support for Username Token Profile and X509 Certificate Token Profile without using WS-SecurityPolicy - Configuring WS-Security properties for web services and for Web Service references

16 June - 05 July

-Adding support for WS-SecurityPolicy

05 July - 05 August

-Adding support for WSSecurityFeature

05 August - 17 August

-Testing period for WS-Security support


  1. To provide the following of WS-Security features support in Apache Geronimo:

    -> To add support for Username Profile (processes the username token and validates the credentials contained within it against the Web service's configured security provider) by using/without using WS-SecurityPolicy

    -> To add support for X509 Profile (to authenticate against the receiving Web service) using/without using WS-SecurityPolicy

    -> To add support for SAML Token Profile (optional)

  2. Testing for both web service and web service client for WS-Security support
  3. Clear Documentation
  4. Future work indication




Additional Information:

This proposal is under discussion and refinement process on the mailing list of Apache Geronimo and on the following link:

About Me:

Presently, I am doing my Master degree from India. I have studied Master degree in CS from Machester University, UK and worked on some short-term projects and involved in Software development life cycle. I have good programming development experience with WS-Specifications, protocols and Java.

rahulsoa (last edited 2009-09-20 23:35:39 by localhost)