610 likes | 1.04k Views
Web Service and Security. Lilly Wang. Agenda. Brief introduction to web service Web service security Wireless web service. Software Evolution. Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system.
E N D
Web Service and Security Lilly Wang
Agenda Brief introduction to web service Web service security Wireless web service
Software Evolution Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system
What is web service? Self contained Self described (WSDL) Interoperable standard interfaces Dynamically discovered (UDDI)
Web Service Characteristics Openly accessible over Internet Use XML messages for communication Loosely-coupled architecture Involve one or more intermediaries Heterogeneous in implementation technologies
Business Point of View Registry find publish Requestor Provider bind
Developer’s Point of View How to achieve interoperability How to transport data How to achieve high performance Web service can be any piece of software that makes itself available over the Internet using standardized web service messaging system and interface
Architecture UDDI Registry WSDL WSDL Requestor Provider SOAP
SOAP Simple Object Access Protocol Original used for RPC High-level protocol that defines only the message structure and a few simple rules for message processing Data packed inside SOAP message for transporting over the network http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
WSDL Web Service Description Language Service description component A specification for describing a service provided or searching http://www.w3.org/TR/2001/NOTE-wsdl-20010315
UDDI Universal Description Discovery Integration A technical spec for business registry Data stored in standardized XML format APIs for searching UDDI Business Registry is a fully operational implementation of the UDDI spec http://www.oreillynet.com/lpt/a//webservices/2002/02/12/webservicefaqs.html
Types of Web services Remote Procedure Call (RPC) type Call parameters and return values are serialized in SOAP messages. Data types are supported by XML schema. Document messaging (DOC) type Operate in asynchronous mode. Similar to mailing lists robots. Good for mobile.
Security Basics Authentication Access Control Authorization Data Integrity Non-repudiation
Basic Security Mechanism Symmetric/Asymmetric Key Encryption Message Digest Message Authentication Codes (MAC) Digital Signature Digital Certificate
Web Service Security Technologies X.509 Certificate (RFC 2585) SSL/TLS (RFC 2246) Kerberos Tickets (RFC 1510) XML Signature (http://www.xml.com/pub/a/2001/08/08/xmldsig.html) XML Encryption (http://www.aleksey.com/xmlsec/) XML-based security token (SAML format ) (http://www.aleksey.com/xmlsc/)
Web Service Security Challenges SOAP messages can be sent using different transport applications or protocols There could be legitimate intermediaries that might need to access a part or whole of SOAP messages
Point-to-Point Security Security Context Security Context Requester Intermediary Web Service
End-to-End Security Security Context Requester Intermediary Web Service
Proposed Security Specification Initial Specifications WS-Security WS-Policy WS-Trust WS-Privacy Follow-on Specifications WS-SecureConversation WS-Federation WS-Authorization
WS-Security is the foundation for all of the other specs provides end-to-end message-level security for SOAP messages defines a SOAP Header element to carry security-related data SecurityToken defined under <Security> tag, containing <UsenameToken> and <BinarySecurityToken>
WS-Security Message integrity is provided by XML Signature and security tokens Message confidentiality is provided by XML Encryption with security tokens
WS-Policy Specify how senders and receivers agree on the security requirements and capabilities <SecurityToken> - what type, which issuer <Integrity> - options for digital signature <Confidentiality> - options for encryption algorithm <Visibility> - Which portion of the message must be unencrypted
WS-Trust The model for establishing both direct and brokered trust relationship Defines a way to use SOAP to talk to a KDC, CA or any other security token service center Use <RequestSecurityToken> and <RequestSecurityTokenResponse> elements
WS-Privacy – defines the privacy policies, such as ACL and delegation WS-SecureConversation – defines XML types and interactions that allows a the establishment of a security context and the creation of keys that are specific to that context
WS-Federation – defines how to construct federated trust among different securitytoken service centers WS-Authorization – describes how access policies for a web service are specified and managed
SOAP Light-weighted protocol Exchange structured information in a decentralized, distributed environment Use XML as message framework Interoperable among different system
Why SOAP ? Provide rich data types (more than 40) Support various messaging schemes Bind with other protocols/standards
Java APIs for XML Document-oriented JAXP JAXB Procedure-oriented JAX-RPC JAXM JAXR
JAXP Java APIs for XML Processing XML Parser Support XSLT Include SAX Parser (event-based parser) DOM Parser (tree-based)
JAXB Java Architecture for XML Binding Provide mapping between XML documents and Java objects Based on XML Schema/DTD to build Java Object
JAXP vs JAXB Use JAXB when • Access data in memory, but do not need tree manipulation capabilities • Process only data that is valid • Convert data to different types • Generate classes based on a DTD • Build object representations of XML data.
JAXP vs JAXB Use JAXP when • Have flexibility with regard to the way you access the data: either serially with SAX or randomly in memory with DOM • Use your same processing code with documents based on different DTDs • Parse documents that are not necessarily valid • Apply XSLT transforms • Insert or remove objects from an object tree that represents XML data
JAXM Java API for XML Messaging SAAJ (SOAP with Attachments API for Java) 1.1 is the javax.xml.soap package for creating SOAP messages, adding message content, and extracting message content. JAXM 1.1 is the javax.xml.messaging package for using a messaging provider and to send one-way messages. It is always used in conjunction with the SAAJ 1.1 API.
JAXR JavaTM API for XML Registries provides a convenient way to access standard business registries over the Internet.
JAX-RPC Java™ API for XML-based RPC Is a collection of procedures that can be called by a remote client over the Internet Supports SOAP 1.2 and WSDL
What you need for J2ME Web Service ? Server Side Apache Axis ( for SOAP parsing) Web Service tool kit ( e.e WSDK) Client Side kSOAP / JSR 172 Wireless Toolkit
kSOAP A parser based on kXML kSOAP 1.2 supports SOAP 1.2
JSR 172 Provide subset of JAXP Provide subset of JAX-RPC Will be released on summer, 2003
Wireless Web Service Security ? Just start Simple XML digital signature can be done Need to use third-party APIs
Reference [1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823-wireless.html [2]http://www106.ibm.com/developerworks/webservices/library/ws-sec1.html?dwzone=webservices [3]http://www106.ibm.com/developerworks/webservices/library ws-secroad/?dwzone=webservices [4] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp