I'm working for a company which is involved in developing highly secure web services for banking applications. Web services will be created and consumed inorder to establish communication with applications already in use at the bank. The web services will be deployed on JBoss server. Which web service frameworks/engines are best suited for high security applications? I did some research and have shortlisted a few. They are as follows.
I've even read that JBoss server has some in-built web services engine but haven't gathered much info on that. Also I've read that Apache Axis2 implements security features using Apache Rampart. How effective is Apache Rampart? Is it suited for the application mentioned above? Are there any other security implementations other than Rampart for Axis2?
Which framework/engine should I choose? Are there any good and reliable frameworks with strong community support, other than those mentioned above?
The most recent versions of JBoss use CXF as the underlying web services engine (although they do have their own implementation that they maintain as well).
For Security situations, the best bet of the three is definitely Apache CXF. The CXF developers (in particular, Colm and Oli) are the folks that are driving most of the enhancements in the security space. The last released version of Rampart is using a fairly old version of WSS4J which does not contain many of the new features and enhancements that CXF users are enjoying.
A good resource to look through is Colm's blog: http://coheigea.blogspot.com/
You can see how much work he has put in to making sure CXF has the best WS-Security implementation, a very good STS, etc... Oli's blog ( http://owulff.blogspot.com/ ) has started to document extensions to Tomcat and such to support WS-Federation and SSO, again based on work being done for CXF.