What is Apache WSS4J™?

This page describes what Apache WSS4J is and what functionality it supports. For more information about how to use WSS4J, see the Using Apache WSS4J page.

The technical answer

The technical answer is that Apache WSS4J provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC. WSS4J provides an implementation of the following WS-Security standards:

The less technical answer

Apache WSS4J is designed to be used with a Web Services stack such as Apache CXF or Apache Axis to secure SOAP messages. It offers the following high level functionality:

  • Message Confidentiality
  • Message Integrity
  • Message Authentication
  • Message Authorization

WSS4J uses the functionality of Apache Santuario to encrypt SOAP Messages. Typically, the SOAP Body as well as a UsernameToken in the security header are encrypted. WSS4J supports both Symmetric and Asymmetric encryption. Typically, a Symmetric Key is generated and used to encrypt the SOAP Body/UsernameToken, and then the Symmetric Key is in turn encrypted by the public key of the recipient and included in the security header of the request.

WSS4J also provides the ability to ensure message integrity by applying XML Signature to a SOAP request. Typically, the SOAP Body, Timestamp, WS-Addressing headers, as well as any other token in the security header are signed. Both Symmetric and Asymmetric Signature are supported. WSS4J supports using a secret key associated with a token, such as a Kerberos Token or a key derived from a UsernameToken, to sign (as well as to encrypt) a request.

As well as providing message confidentiality and integrity, WSS4J allows for client authentication in a number of different ways. The most common way is to include a username and password in a UsernameToken included in the security header. The message recipient can plug in a WSS4J Validator to validate the received credentials. Authentication is also supported via Kerberos Tokens, SAML Assertions (when used with "HolderOfKey"), and Asymmetric Signature.

Finally, WSS4J supports message authorization using an RBAC approach. This can be supported via the use-case of UsernameTokens validated using the JAAS Validator that ships with WSS4J. This stores the JAAS Subject in the WSS4J results list, and can be used by the web services stack to populate a security context. Similarly, authorization can be supported using Claims extracted from a SAML (Attribute) Assertion.