Post on 11-Jan-2016
description
transcript
1
Web Service and Security
Lilly Wang
2
Agenda
Brief introduction to web service Web service security Wireless web service
3
Software Evolution
Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system
4
Web Service Basics
5
What is web service?
Self contained Self described (WSDL) Interoperable standard interfaces Dynamically discovered (UDDI)
6
Web Service Characteristics
Openly accessible over Internet Use XML messages for communication Loosely-coupled architecture Involve one or more intermediaries Heterogeneous in implementation technologies
7
Business Point of View
Requestor
Registry
Provider
find
bind
publish
8
Developer’s Point of View
How to achieve interoperability How to transport data How to achieve high performance
Web service can be any piece of software that makes itself available over the Internet using standardized web service messaging system and interface
9
Architecture
Requestor
Registry
Provider
WSDL
SOAP
WSDL
UDDI
10
SOAP Simple Object Access Protocol Original used for RPC High-level protocol that defines only the
message structure and a few simple rules for message processing
Data packed inside SOAP message for transporting over the network
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
11
WSDL
Web Service Description Language Service description component A specification for describing a service
provided or searching http://www.w3.org/TR/2001/NOTE-
wsdl-20010315
12
UDDI Universal Description Discovery
Integration A technical spec for business registry Data stored in standardized XML format APIs for searching UDDI Business Registry is a fully
operational implementation of the UDDI spec
http://www.oreillynet.com/lpt/a//webservices/2002/02/12/webservicefaqs.html
13
Types of Web services
Remote Procedure Call (RPC) type
Call parameters and return values are serialized in SOAP messages. Data types are supported by XML schema.
Document messaging (DOC) type Operate in asynchronous mode. Similar to
mailing lists robots. Good for mobile.
14
Web Service Security
15
Security Basics
Authentication Access Control Authorization Data Integrity Non-repudiation
16
Basic Security Mechanism
Symmetric/Asymmetric Key Encryption Message Digest Message Authentication Codes (MAC) Digital Signature Digital Certificate
17
Web Service Security
Technologies X.509 Certificate (RFC 2585) SSL/TLS (RFC 2246) Kerberos Tickets (RFC 1510) XML Signature (http://www.xml.com/pub/a/2001/08/08/xmldsig.html) XML Encryption (http://www.aleksey.com/xmlsec/) XML-based security token (SAML format ) (http://www.aleksey.com/xmlsc/)
18
Web Service Security Challenges
SOAP messages can be sent using different transport applications or protocols
There could be legitimate intermediaries that might need to access a part or whole of SOAP messages
19
Point-to-Point Security
Requester Intermediary Web Service
Security Context
Security Context
20
End-to-End Security
Requester Intermediary Web Service
Security Context
21
Proposed Security Specification
Initial Specifications WS-Security WS-Policy WS-Trust WS-Privacy
Follow-on Specifications
WS-SecureConversation WS-Federation WS-Authorization
22
WS-Security is the foundation for all of the other
specs provides end-to-end message-level
security for SOAP messages defines a SOAP Header element to
carry security-related data SecurityToken defined under
<Security> tag, containing <UsenameToken> and <BinarySecurityToken>
23
WS-Security
Message integrity is provided by XML Signature and security tokens
Message confidentiality is provided by XML Encryption with security tokens
24
WS-Security
25
WS-Policy
<SecurityToken> - what type, which issuer
<Integrity> - options for digital signature
<Confidentiality> - options for encryption algorithm
<Visibility> - Which portion of the message must be unencrypted
Specify how senders and receivers agree on the security requirements
and capabilities
26
WS-Trust
Defines a way to use SOAP to talk to a KDC, CA or any other security token service center
Use <RequestSecurityToken> and <RequestSecurityTokenResponse> elements
The model for establishing both direct and brokered trust relationship
27
WS-Privacy – defines the privacy policies, such as ACL and delegation
WS-SecureConversation – defines XML types and interactions that allows a the establishment of a security context and the creation of keys that are specific to that context
28
WS-Federation – defines how to construct federated trust among different securitytoken service centers
WS-Authorization – describes how access policies for a web service are specified and managed
29
Where are we now ?
30
Wireless Web Service
31
SOAP
Light-weighted protocol
Exchange structured information in a decentralized, distributed environment
Use XML as message framework
Interoperable among different system
32
SOAP
33
Why SOAP ?
Provide rich data types (more than 40)
Support various messaging schemes
Bind with other protocols/standards
34
Java APIs for XML
Document-oriented• JAXP • JAXB
Procedure-oriented• JAX-RPC • JAXM • JAXR
35
JAXP Java APIs for XML Processing XML Parser Support XSLT Include
SAX Parser (event-based parser) DOM Parser (tree-based)
36
JAXB Java Architecture for XML Binding Provide mapping between XML documents
and Java objects Based on XML Schema/DTD to build Java
Object
37
JAXP vs JAXBUse JAXB when
• Access data in memory, but do not need tree manipulation capabilities
• Process only data that is valid
• Convert data to different types
• Generate classes based on a DTD
• Build object representations of XML data.
38
JAXP vs JAXBUse JAXP when
• Have flexibility with regard to the way you access the data: either serially with SAX or randomly in memory with DOM
• Use your same processing code with documents based on different DTDs
• Parse documents that are not necessarily valid
• Apply XSLT transforms
• Insert or remove objects from an object tree that represents XML data
39
JAXM Java API for XML Messaging SAAJ (SOAP with Attachments API for Java) 1.1 is the
javax.xml.soap package for creating SOAP messages, adding message content, and extracting message content.
JAXM 1.1 is the javax.xml.messaging package for using a messaging provider and to send one-way messages. It is always used in conjunction with the SAAJ 1.1 API.
40
JAXR JavaTM API for XML Registries provides a convenient way to access standard
business registries over the Internet.
41
JAX-RPC Java™ API for XML-based RPC Is a collection of procedures that can
be called by a remote client over the Internet
Supports SOAP 1.2 and WSDL
42
What you need for J2ME Web Service ?
Server Side Apache Axis ( for SOAP parsing) Web Service tool kit ( e.e WSDK)
Client Side kSOAP / JSR 172
Wireless Toolkit
43
kSOAP
A parser based on kXML kSOAP 1.2 supports SOAP 1.2
44
JSR 172
Provide subset of JAXP Provide subset of JAX-RPC Will be released on summer, 2003
45
Wireless Web Service Security ?
Just start Simple XML digital
signature can be done Need to use third-party
APIs
46
Reference
[1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823-wireless.html
[2]http://www106.ibm.com/developerworks/webservices/library/ws-sec1.html?dwzone=webservices
[3]http://www106.ibm.com/developerworks/webservices/library
ws-secroad/?dwzone=webservices[4] http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnwssecur/html/securitywhitepaper.asp