Web Service Standards, Security & Management

abdomendebonairSecurity

Nov 2, 2013 (3 years and 5 months ago)

55 views

Web Service Standards,
Security & Management


Chris Peiris

www.ChrisPeiris.com

11 Oct 2006

© ChrisPeiris.com

2

Agenda


Web Services Standards


OASIS


WS
-
I


Web Service Security


Web Service Management


Future Enterprise SOA trends


Web 2.0, Ajax, SaaS


11 Oct 2006

© ChrisPeiris.com

3

Where are we heading?

11 Oct 2006

© ChrisPeiris.com

4

Web Services Standards


SOA Demo 1


Real World SOA


Many Vendors


IBM


SUN


Microsoft


BEA etc..


How do they communicate with each other?


Standards!!

11 Oct 2006

© ChrisPeiris.com

5

Web Services Standards


Tale of “many vendors”


Do “it our way”


or else we can not assist you!


IBM, Sun & Microsoft was instrumental in
creating the first drafts.


Who owns the standards?


OASIS
-

Organization for the
Advancement of Structured Information
Standards
.


11 Oct 2006

© ChrisPeiris.com

6

OASIS


OASIS was founded in 1993 under the
name SGML Open as a consortium of
vendors and users devoted to developing
guidelines for interoperability among
products that support the Standard
Generalized Markup Language (SGML).


OASIS changed its name in 1998 to reflect
an expanded scope of technical work,
including the Extensible Markup Language
(XML) and other related standards.

11 Oct 2006

© ChrisPeiris.com

7

Implementing OASIS
standards


What does the OASIS standards try to
address?


Interoperability


Common methodology


Increase efficiency


Is there a specialized body that’s taken
the responsibility of implementing
these OASIS standards?

11 Oct 2006

© ChrisPeiris.com

8

WS
-
I


WS
-
I Interoperability


The Web Services
-
Interoperability
Organization (WS
-
I) is an open, industry
organization
-
chartered to promote Web
services interoperability across platforms,
operating systems, and programming
languages.


WS
-

Basic Profile


http://www.ws
-
i.org/Profiles/BasicProfile
-
1.0
-
2004
-
04
-
16.html


11 Oct 2006

© ChrisPeiris.com

9

WS
-
I Basic Profile


The WS
-
I Basic Profile defines an
interoperable subset of the core Web
services specifications, including XML
Schema,


SOAP 1.1


WSDL 1.1


UDDI 2.0,


by specifying refinements, interpretations,
and clarifications of these specifications.

11 Oct 2006

© ChrisPeiris.com

10

Basic Profile Specifications



Simple Object Access Protocol (SOAP) 1.1
.


Extensible Markup Language (XML) 1.0 (Second Edition)
.


RFC2616: Hypertext Transfer Protocol
--

HTTP/1.1
.


RFC2965: HTTP State Management Mechanism
.


Web Services Description Language (WSDL) 1.1
.


XML Schema Part 1: Structures
.


XML Schema Part 2: Datatypes
.


The UDDI Version 2.04 API Published Specification, Dated 19 July 2002
.


UDDI Version 2.03 Data Structure Reference, Published Specification, Dated 19 July
2002
.


Version 2.0 UDDI XML Schema 2001
.


UDDI Version 2.03 Replication Specification, Published Specification, Dated 19 July
2002
.


Version 2.03 Replication XML Schema 2001
.


UDDI Version 2.03 XML Custody Schema
.


UDDI Version 2.01Operator's Specification, Published Specification, Dated 19 July 2002


11 Oct 2006

© ChrisPeiris.com

11

Web Service Specifications


Web services specifications compose together to provide
interoperable protocols for Security, Reliable Messaging, and
Transactions in loosely coupled systems. The specifications
build on top of the core XML and SOAP standards
.



11 Oct 2006

© ChrisPeiris.com

12

Messaging Specifications



SOAP

WS
-
Addressing

MTOM (Attachments)

WS
-
Eventing

WS
-
Transfer

SOAP
-
over
-
UDP

SOAP 1.1 Binding for MTOM 1.0

11 Oct 2006

© ChrisPeiris.com

13

Agenda


Web Services Standards


OASIS


WS
-
I


Web Service Security


Web Service Management


Future Enterprise SOA trends


Web 2.0, Ajax, SaaS


11 Oct 2006

© ChrisPeiris.com

14

Security Specifications


WS
-
Security: SOAP Message Security

WS
-
Security: UsernameToken Profile

WS
-
Security: X.509 Certificate Token Profile

WS
-
SecureConversation

WS
-
SecurityPolicy

WS
-
Trust

WS
-
Federation

WS
-
Security: Kerberos Binding

Web Single Sign
-
On Interoperability Profile


11 Oct 2006

© ChrisPeiris.com

15

Web Services Security


OASIS Standard 1.1



The following documents make up the WS
-
Security 1.1 OASIS standard..


WS
-
Security Core Specification 1.1



Username Token Profile 1.1


X.509 Token Profile 1.1


SAML Token profile 1.1


Kerberos Token Profile 1.1


Rights Expression Language (REL) Token
Profile 1.1


SOAP with Attachments (SWA) Profile 1.1


11 Oct 2006

© ChrisPeiris.com

16

What do they solve?


Authentication


Authorization


Non


repudiation


Digital Signatures & Sign messages


Data Integrity


Hashing


How do they implement it?


Using Token


Multiple Implementations : SAML, Kerberos, Certificates
Custom tokens


Certificates are issued by ‘trusted’ vendors


RSA, Verisign


Kerberos token are used by Windows Operating System
manage user credentials



11 Oct 2006

© ChrisPeiris.com

17

Vendor Implementation of WS
Security


Microsoft


Web Services Enhancements


Windows Communication Framework


IBM


Soap Extensions to Web Sphere


BEA


Sun Java


Every major vendor has implemented WS Security
to their programming stack


Demo 2


Microsoft WS Security Implementation
using WSE


However, what is the standard way to exchange
these WS Security information programmatically? Is
there a preferable markup language that we can
use?

11 Oct 2006

© ChrisPeiris.com

18

What is SAML?


Security Assertions Markup Language (
SAML
) is an XML
-
based
framework for Web services that enables the exchange of
authentication and authorization


• Assertions:


Declarations of one or more facts about a user (human or computer).
Authentication assertions require that the user prove his identity. Attribute
assertions contain specific details about the user, such as his credit line or
citizenship.


The authorization decision assertion identifies what the user can do (for
example, whether he is authorized to buy a certain item).


Request/response protocol: This defines the way that SAML requests
and receives assertions. For example, SAML currently supports SOAP
over HTTP.


Bindings: This details exactly how SAML requests should map into
transport protocols such as SOAP message exchanges over HTTP.


Profiles: These dictate how SAML assertions can be embedded or
transported between communicating systems.


Implemented as tokens

11 Oct 2006

© ChrisPeiris.com

19

WS Federation


Federated Security Model


11 Oct 2006

© ChrisPeiris.com

20

Advantages of Federated
Security Model


The flexibility of proving one set of credentials to a
user (i.e. Certificate by the client) and converting it
to another set of credentials (i.e. SAML token) can
be utilized in many scenarios to add value to the
customers.


We also have the flexibility of altering our internal
(i.e. The client can provide username password pair
to replace the certificate) but our external
implementation of the claims will not be changed.
(i.e. The broker will still create the same SAML
token with the username password pair).

11 Oct 2006

© ChrisPeiris.com

21

More Specifications


Reliable Messaging Specifications

WS
-
ReliableMessaging


Transaction Specifications

WS
-
Coordination

WS
-
AtomicTransaction

WS
-
BusinessActivity

11 Oct 2006

© ChrisPeiris.com

22

Agenda


Web Services Standards


OASIS


WS
-
I


Web Service Security


Web Service Management


Future Enterprise SOA trends


Web 2.0, Ajax, SaaS


11 Oct 2006

© ChrisPeiris.com

23

Web Services Management



Web services enables heterogeneous software
environment to share data to facilitate business
needs. They support open standards (XML, SOAP,
WSDL, UDDI) that will enable a "common
communication platform" between distributed
business partners.


Web services can be built on many software
platforms. (Microsoft, Java, IBM). All
implementations focus on the "creation" and the
"consumption" of web services.


However, the concept of "managing the web
service" is not explored in detail.


11 Oct 2006

© ChrisPeiris.com

24

Web Service Management


Is there a framework to provide guidance to
manage web services architecture?


Demo 3


Is there a unified set of principals that can
be used with heterogeneous technologies to
manage web services on multiple software
platforms?


Will WS
-
Management answer these
questions? Can an agent framework be
utilized to mange web services features


for example ‘security’?”

11 Oct 2006

© ChrisPeiris.com

25

Web Service Management
Specifications


Management Specifications


WS
-
Management

WS
-
Management Catalog


Business Process Specifications

BPEL4WS (Business Process
Execution Language for Web Services
Specification)


Demo 4


Managing SOA apps

11 Oct 2006

© ChrisPeiris.com

26

Agenda


Web Services Standards


OASIS


WS
-
I


Web Service Security


Web Service Management


Future Enterprise SOA trends


Web 2.0, Ajax, SaaS


11 Oct 2006

© ChrisPeiris.com

27

Future SOA Trends


Rich UI Platforms / Smart Clients


Ajax / Atlas


Web 2.0


Demo 5


Saas (Software as a Service)


Not a product


but a service!


Why


more allocation of cost / more control over cost
centers


Infrastructure as a Service


Demo 6