This documentation is for WSO2 Application Server 5.2.0. View documentation for the latest release.
Page Comparison - Service-Level Security Implementation (v.3 vs v.4) - Application Server 5.2.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


It provides 16 predefined, commonly-used security scenarios. All you have to do is to apply the required security scenario into your service through the service's dashboard. You can also define a custom security policy. Understanding  Understanding the exact security requirements is the first step in planning to secure Web services. Consider what security aspects are important to your service, whether it is the integrity, confidentiality, or both.    

Configuring security features

Security features are disabled in services by default. The  The following steps explain how to enable and configure them.

  1. Log in to the management console and select Services > List under the Main menu.  
  2. From the Deployed Services page that appears, click the service to which you want to enable security.  
  3. The service's dashboard opens. Click Security from the Quality of Service Configuration panel.
  4. Enable security for the service by selecting Yes .
  5. Enable the options you require from the list of 16 default security scenarios that appears.    You can read more details of the scenarios by clicking the browse icon in front of them.
    Security ScenariosImage Modified
    You can read more information about each security scenario by clicking on the icon next to each. We have also given a graphical view of each scenario in the next section.

    In addition to the default security scenarios, you can also refer to a custom security policy that is stored in Configuration Registry or Governance Registry.


  6. Click Next to open the Activate Security page, using which you can configure the security features selected previously. 

    If you selected a default security scenario, this page shows you the user groups, key stores etc. according to the selected security scenario. For example,

    • In a default scenario, if you select a policy that includes Username Token, you get the User Group panel to choose the users who are allowed to access the service
    • In a default scenario, if you have selected a policy that requires signing or encryption, the Trusted Key Stores and Private Key Store panels appear.

    If you refer to a custom security policy from Registry, this page shows all options on user groups and key stores from which you can select the ones relevant to your policy. Even  Even if you select irrelevant options, they will not be used at runtime.

The default security scenarios

The topics below explain the 16 default security scenarios provided by WSO2.

Table of Contents


10. SecureConversation - Sign Only - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients
 Image Modified

11. SecureConversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , X509 Authentication


The above files are located in <PRODUCT_HOME>/repository/conf/security folder.

After selecting scenario 16, fill information about the service principal to associate the Web service with. You must specify the service principal name and password. The service principal must be already defined in the LDAP Directory server.