The presentation slides

clappingknaveSoftware and s/w Development

Dec 14, 2013 (3 years and 9 months ago)

76 views

1

Web Service and Security

Lilly Wang

2

Agenda


Brief introduction to web service


Web service security


Wireless web service

3

Software Evolution


Main frame based


Two
-
Tier Client Server


Web
-
based N
-
tier Client Server


Web centric highly distributed system

4

Web Service Basics

5

What is web service?


Self contained


Self described (WSDL)


Interoperable standard interfaces


Dynamically discovered (UDDI)

6

Web Service Characteristics


Openly accessible over Internet


Use XML messages for communication


Loosely
-
coupled architecture


Involve one or more intermediaries


Heterogeneous in implementation technologies

7

Business Point of View

Requestor

Registry

Provider

find

bind

publish

8

Developer’s Point of View


How to achieve interoperability


How to transport data


How to achieve high performance

Web service can be any piece of software
that makes itself available over the Internet
using standardized web service messaging
system and interface

9

Architecture

Requestor

Registry

Provider

WSDL

SOAP

WSDL

UDDI

10

SOAP

Simple Object Access Protocol

Original used for RPC

High
-
level protocol that defines only the message
structure and a few simple rules for message processing

Data packed inside SOAP message for transporting
over the network

http://www.w3.org/TR/2000/NOTE
-
SOAP
-
20000508/

11

WSDL

Web Service Description Language

Service description component

A specification for describing a service
provided or searching

http://www.w3.org/TR/2001/NOTE
-
wsdl
-
20010315

12

UDDI

Universal Description Discovery Integration

A technical spec for business registry

Data stored in standardized XML format

APIs for searching

UDDI Business Registry is a fully operational
implementation of the UDDI spec

http://www.oreillynet.com/lpt/a//webservices/2002/02
/12/webservicefaqs.html

13

Types of Web services

Remote Procedure Call (RPC) type


Call parameters and return values are serialized in
SOAP messages. Data types are supported by XML
schema.

Document messaging (DOC) type


Operate in asynchronous mode. Similar to mailing lists
robots. Good for mobile
.


14

Web Service Security

15

Security Basics


Authentication


Access Control


Authorization


Data Integrity


Non
-
repudiation

16

Basic Security Mechanism


Symmetric/Asymmetric Key Encryption


Message Digest


Message Authentication Codes (MAC)


Digital Signature


Digital Certificate

17

Web Service

Security Technologies


X.509 Certificate (RFC 2585)


SSL/TLS (RFC 2246)


Kerberos Tickets (RFC 1510)


XML Signature
(http://www.xml.com/pub/a/2001/08/08/xmldsig.html)


XML Encryption (http://www.aleksey.com/xmlsec/)


XML
-
based security token (SAML format )


(http://www.aleksey.com/xmlsc/)


18

Web Service Security Challenges

SOAP messages can be sent using different
transport applications or protocols

There could be legitimate intermediaries that
might need to access a part or whole of SOAP
messages

19

Point
-
to
-
Point Security

Requester

Intermediary

Web Service

Security
Context

Security
Context

20

End
-
to
-
End Security

Requester

Intermediary

Web Service

Security Context

21

Proposed Security Specification

Initial Specifications

WS
-
Security

WS
-
Policy

WS
-
Trust

WS
-
Privacy

Follow
-
on Specifications

WS
-
SecureConversation

WS
-
Federation

WS
-
Authorization

22

WS
-
Security

is the foundation for all of the other specs

provides end
-
to
-
end message
-
level security for
SOAP messages

defines a SOAP Header element to carry
security
-
related data

SecurityToken defined under <Security> tag,
containing <UsenameToken> and
<BinarySecurityToken>

23

WS
-
Security

Message integrity is provided by XML
Signature and security tokens

Message confidentiality is provided by
XML Encryption with security tokens

24

WS
-
Security

25

WS
-
Policy

<SecurityToken>
-

what type, which issuer

<Integrity>

-

options for digital signature

<Confidentiality>

-

options for encryption
algorithm

<Visibility>

-

Which portion of the message
must be unencrypted

Specify how senders and receivers agree on the
security requirements and capabilities

26

WS
-
Trust

Defines a way to use SOAP to talk to a KDC,
CA or any other security token service center

Use <RequestSecurityToken> and
<RequestSecurityTokenResponse> elements

The model for establishing both direct and
brokered trust relationship

27

WS
-
Privacy


defines the privacy
policies, such as ACL and delegation

WS
-
SecureConversation



defines XML
types and interactions that allows a the
establishment of a security context and
the creation of keys that are specific to
that context

28

WS
-
Federation


defines how to
construct federated trust among
different securitytoken service centers


WS
-
Authorization



describes how
access policies for a web service are
specified and managed

29

Where are we now ?

30

Wireless Web Service

31

SOAP

Light
-
weighted protocol

Exchange structured information in a
decentralized, distributed environment

Use XML as message framework

Interoperable among different system

32

SOAP

33

Why SOAP ?

Provide rich data types (more than 40)

Support various messaging schemes

Bind with other protocols/standards

34

Java APIs for XML


Document
-
oriented



JAXP



JAXB



Procedure
-
oriented



JAX
-
RPC



JAXM



JAXR

35

JAXP


Java APIs for XML Processing


XML Parser


Support XSLT


Include



SAX Parser (event
-
based parser)



DOM Parser (tree
-
based)



36

JAXB

Java Architecture for XML Binding

Provide mapping between XML documents
and Java objects

Based on XML Schema/DTD to build Java
Object

37

JAXP vs JAXB

Use JAXB when


Access data in memory, but do not need tree
manipulation capabilities

• Process only data that is valid

• Convert data to different types

• Generate classes based on a DTD

• Build object representations of XML data.

38

JAXP vs JAXB

Use JAXP when


• Have flexibility with regard to the way you access the
data: either serially with SAX or randomly in
memory with DOM

• Use your same processing code with documents
based on different DTDs

• Parse documents that are not necessarily valid

• Apply XSLT transforms

• Insert or remove objects from an object tree that
represents XML data


39

JAXM

Java API for XML Messaging

SAAJ (SOAP with Attachments API for Java) 1.1 is
the javax.xml.soap package for creating SOAP
messages, adding message content, and extracting
message content.

JAXM 1.1 is the javax.xml.messaging package for
using a messaging provider and to send one
-
way
messages. It is always used in conjunction with the
SAAJ 1.1 API.


40

JAXR

JavaTM API for XML Registries

provides a convenient way to access standard
business registries over the Internet.



41

JAX
-
RPC

Java™ API for XML
-
based RPC

Is a collection of procedures that can be called by
a remote client over the Internet

Supports SOAP 1.2 and WSDL


42

What you need for J2ME
Web Service ?


Server Side


Apache Axis ( for SOAP parsing)


Web Service tool kit ( e.e WSDK)

Client Side


kSOAP / JSR 172


Wireless Toolkit

43

kSOAP


A parser based on kXML


kSOAP 1.2 supports SOAP 1.2

44

JSR 172


Provide subset of JAXP


Provide subset of JAX
-
RPC


Will be released on summer, 2003

45

Wireless Web Service Security ?

Just start

Simple XML digital signature can be
done


Need to use third
-
party APIs

46

Reference

[1] http://www.javaworld.com/javaworld/jw
-
08
-
2002/jw
-
0823
-
wireless.html

[2]http://www106.ibm.com/developerworks/webservices/library/ws
-
sec1.html?dwzone=webservices

[3]http://www106.ibm.com/developerworks/webservices/library


ws
-
secroad/?dwzone=webservices

[4] http://msdn.microsoft.com/library/default.asp?url=/library/en
-
us/dnwssecur/html/securitywhitepaper.asp