Skip to main content

XML and WebServices Security (XWSS) FAQ

      NOTE: This is an initial version of  XWSS FAQ, we will be adding more FAQ's soon......
  1.  What is XWSS ? :  XWSS stands for XML and WebServices Security runtime. it is part of  Project GlassFish and is used for securing WebServices requests and responses
  2. What are the Standards on which  XWSS is based on ?:  XWSS 2.0 was based on  OASIS WSS specification version 1.0 and XWSS 3.0 is based on OASIS WSS specification 1.1
  3. What is the current XWSS Version ? :   The current version of  XWSS is XWSS 3.0.  The previous version of  XWSS was XWSS 2.0
  4. How can i obtain XWSS 3.0  ? :  You can obtain the latest nightly of  XWSS 3.0 from the download button on :
  5. How can i obtain XWSS 2.0  ? :   You can obtain XWSS 2.0 from the download button on :
  6. Is XWSS 3.0 backward compatible with XWSS 2.0 ? :  Yes XWSS 3.0 is supposed to be backward compatible with XWSS 2.0, if you find any compatibility issues please report them at for file an Issue using the Issue Tracket link on
  7. What is the relationship of  XWSS 3.0 with JWSDP ? :   The last release of  JWSDP was JWSDP 2.0 and it contained XWSS 2.0, JWSDP has been phased out since then and now you can obtain the Latest WebServices Technologies from Sun's  Project Tango (
  8. Which version of XWSS is present in  project Tango ? :  XWSS 3.0.
  9. What are the new Features in XWSS 3.0 over and above XWSS 2.0 ?:  
  1. XWSS 3.0 supports OASIS WSS 1.1, most notable are the features such as support for EncryptedKeySHA1, SingatureConfirmation etc.  
  2. The Security Configuration Language that was supported in XWSS 2.0 continues to be supported in XWSS 3.0, however none of the new features of XWSS 3.0 can be exercised using the  XWSS 2.0 style security configuration language. This is because  XWSS 3.0 now supports  WS-SecurityPolicy which is bound to become an interoperable standard for expressing Security Policies of a WebService in the WSDL.
  3. XWSS 3.0 also has a new STREAMING implementation of  the Security Features (namely Signature and Encryption) which makes XWSS 3.0 perform much better than XWSS 2.0.  Again these streaming features are not utilized when one uses  XWSS 2.0 style security configuration files. The benefits of  STREAMING come in when XWSS 3.0 is used in the WSIT context  Via  WS-SecurityPolicy.
  • Where do we get the latest  WSIT nightly builds from  ? :
  • What does one need to do to get XWSS 3.0 ? :  there are 3 ways one can get XWSS 3.0
    1. Download Latest versions of  GlassFishV2 Builds and it will automatically have latest  XWSS 3.0 in it, infact all the WebServices components that are part of  WSIT are integrated periodically into GlassFish.
    2. If you are using  WSIT (WS-*) features and want to use the latest WSIT nightly which has an Urgent BugFix in XWSS 3.0 then you can download the  latest WSIT nightly (Question 10 above) and then install it on top of  GlassFish to override the previous version, here are the steps to install WSIT on GlassFish
    1.  download nightly from :
    2.  java -Xmx256m -jar jax-ws-latest-wsit-installer_nightly.jar
    3.  cd jax-ws-latest-wsit
    4.  export AS_HOME=<directory of your GF install root>
    5.  ant -f wsit-on-glassfish.xml install
    6.  restart the Appserver and run the App again.
  • If you are using XWSS 3.0 with XWSS 2.0 style configuration files and are not using WSIT then you can download the latest  XWSS 3.0 nightly from
  • How do i report issues in XWSS ?:
    1. If you are using XWSS 3.0/XWSS 2.0 in standalone mode (i.e if you are not using WSIT Features) then you can file an Issue on XWSS using the Issue Tracker link on
    2. If you are using WSIT Security features then you can report issues at or  ask a question at  :
  • What are the new features planned in XWSS 3.0 going forward  ? :  The next major feature to come soon is the support for Kerberos Token Profile support. Other things will include increased support for the latest  WS-SecurityPolicy specification
  • What Platforms does XWSS 3.0 Support ? :
    1. When using XWSS 2.0 style Security Configuration Files, XWSS 3.0 can be used with
    1. JAX-RPC
    2. JAX-WS 2.0
    3. JAX-WS 2.1
    4. As StandAlone Programmatic API's
  • WSIT style Security (via WS-SecurityPolicy)  is only supported  with JAXWS 2.1
  • Where do i post  questions/feedback on  WSIT Security ? : ,
  • Where do i post questions/feedback on  XWSS 3.0 ? :
  • Can XWSS 3.0 be used on TOMCAT or other Conatiner(s) ? :  Yes, we have tested XWSS on TOMCAT, we have not tested other container(s)
  • Can WSIT and WSIT Security be used on TOMCAT or  other Container(s) ?:  Yes,  WSIT has been tested on TOMCAT, and  several user(s) have been successful in overlaying WSIT on top of  other Container(s).
  • When using WSIT Security, do i need to write the WS-SecurityPolicy Assertions Manually in the WSDL ?:  No,  there is good support in NetBeans to do WSIT Security.
  •  Where do i download NetBeans and WSIT Plugin for NetBeans ? :
  •  What version of  NetBeans should i download to install the WSIT plugin ?:  Currently NetBeans 5.5.1 work well with WSIT Plugin, and NetBeans 6.0 is currently undergoing testing with WSIT Plugin.
  • Where do i get documentation/Tutorials on using WSIT Security ? :  You can get the documentation for WSIT Milestones from
  • Where do i get the Status Notes on known bugs and issues in WSIT Security  ?:*checkout*/wsit/wsit/status-notes-milestone-3.html
  •  Where can i find more information on KeyManagement on GlassFish ? :  The following article is a good starting point.
  •  How do i turn on Debug Logs for  a Signature Verification Failure or any Signature related Failure in  XWSS 2.0 ? : Add the entry FINEST in your <JAVA_HOME>/jre/lib/
  • How do i turn on Debug Logs  for WSIT Security ?:
    To enable logging for Security in WSIT, you need to set following logging properties:
    com.sun.xml.wss.logging.impl.opt.level = FINEST
    com.sun.xml.wss.logging.impl.opt.crypto.level = FINEST
    com.sun.xml.wss.logging.impl.opt.signature.level = FINEST
    com.sun.xml.wss.logging.impl.opt.token.level = FINEST
  •  How do i turn on Debug Logs for XWSS 3.0 ? :  If you are using XWSS 3.0 jars but you are programming with XWSS 2.0 style configuration files (that means you are not using WSIT Security) then the way to enable debugging logging for Signatures is the same as in Question 25 above, i.e setting FINEST

    Please Confirm