The Project

The Apache WSS4J™ project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC. WSS4J provides an implementation of the following WS-Security standards:

• SOAP Message Security 1.1
• Username Token Profile 1.1
• X.509 Certificate Token Profile 1.1
• SAML Token Profile 1.1
• Kerberos Token Profile 1.1
• SOAP Messages with Attachments Profile 1.1
• Basic Security Profile 1.1

Supported versions

The following Apache WSS4J releases are currently actively supported:

* Not yet released

News

• February 2025 - The Apache WSS4J team are pleased to announce the release of version 4.0.0. This is a major new release that features upgrades to OpenSAML v5, XML Security 4.0.0, with JDK 17 as a minimum supported version.

• November 2024 - The Apache WSS4J team are pleased to announce the release of version 3.0.4. It contains a new feature regarding key derivation (https://issues.apache.org/jira/browse/WSS-710) and also a Santuario and other upgrades.

• February 2024 - The Apache WSS4J team are pleased to announce the release of version 3.0.3. It contains an update to use XML Security for Java 3.0.4 and functionality to support key agreement using ECDH-ES.

• November 2023 - The Apache WSS4J team are pleased to announce the release of versions 3.0.2 and 2.4.3. These releases contain an upgrade to XML Security to pick up a recent CVE fix.

• July 2023 - The Apache WSS4J team are pleased to announce the release of versions 3.0.1, 2.4.2 and 2.3.4. These releases contain a fix for a bug with STR Transform and contain dependency updates.

• October 2022 - The Apache WSS4J team are pleased to announce the release of version 3.0.0. This is a major new release of WSS4J. Significant changes:

  • Moved from javax to jakarta namespace
  • OpenSAML 4.x upgrade
  • Santuario 3.0.x upgrade

  Please see the 3.0.0 release notes for more information.

• February 2022 - The Apache WSS4J team are pleased to announce the release of version 2.4.1. It fixes an issue with the timestamp in the WSS4J jars being invalid.

• November 2021 - The Apache WSS4J team are pleased to announce the release of version 2.4.0. This release contains relatively few changes, but picks up a new major version of Apache Santuario - XML Security for Java (2.3.0)

• September 2021 - The Apache WSS4J team are pleased to announce the release of versions 2.3.3 and 2.2.7. The main changes for these releases are updates to fix CVE issues in a few dependencies.

• December 2020 - The Apache WSS4J team are pleased to announce the release of versions 2.3.1 and 2.2.6. Please see the 2.3.1 release notes and 2.2.6 release notes for more information.

• June 2020 - The Apache WSS4J team are pleased to announce the release of version 2.3.0. This is a major new release of WSS4J. Significant changes:

  • Private key caching enabled which greatly speeds up private key retrieval for PKCS12 keys
  • OpenSAML 3.4.x upgrade
  • Santuario 2.2.x upgrade
  • EhCache 3.x upgrade
  • JDK 14 officially supported

  Please see the 2.3.0 release notes for more information.