Web Service Security, more commonly refered as just WS-Security, is used to secure SOAP messages. For example, let's say you are using the wsadmin.sh (Linux) or wsadmin.bat (Windows) commands to perform some task. Almost always, wsadmin will send a SOAP message from system "a" (such as the dmgr) to system "b" (such as the appserver).
When administrative security is enabled, a username and password will need to be included in the SOAP message. With wsadmin, this can be done by adding the username and password to the soap.client.props file.
com.ibm.SOAP.securityEnabled=true com.ibm.SOAP.loginUserid=your_username com.ibm.SOAP.loginPassword=your_password com.ibm.SOAP.loginSource=none
WS-Security will use the UsernameToken specification to secure the password as it is being transmitted from system "a" to system "b". Remember, a SOAP message is nothing more than an XML file that gets transmitted from the sending system to the receiving system. Notice in this example that the username (john.doe) is in cleartext but the password has been obfuscated.
<wsse:UsernameToken> <wsse:Username>john.doe</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">8JGH67ghHY67JFF8f+9fkfjbHGjkG81h=</wsse:Password> </wsse:UsernameToken>