WSS in Java

WSS stands for Web Services Security or, shortly, WS-Security. This standard is commonly used to perform secure communications between web services and it’s underlying based on XMLDSig.

Most used toolkits in Java for WSS are:

  • XWSS from Sun (as part of the project Glassfish)
  • WSS4J from Apache

Both are mature solutions and both cover obligatory part of the standard. However, the implementation of optional parts of the standard produces conflicts in client-server communications between this toolkits.

Recently, we had to work with systems communicating through secure web services based on XWSS and WSS4j and we had to solve two problems:

  1. WSS4J doesn’t support InclusiveNamespaces in canonicalization methods of XMLDSig (WSS estandar covers this functionality as optional). 
  2. WSS4J doesn’t support signed timestamp (WSS estandar covers this functionality as optional).

For the first issue, we configured XWSS in order to avoid the unsupported use of the prefix in XML canonicalization.



Someone decided for the second issue to use non-signed timestamp. In my opinion, this option is unwise because of timestamp manipulation risk. But one can’t always win…

A deep comparison of XWSS and WSS4j can be found at