Web Service Standards, Security & Management Chris Peiris .

Web Service Standards, Security & Management

Chris Peiris

www.ChrisPeiris.com

11 Oct 2006 © ChrisPeiris.com 2

Agenda

Web Services Standards OASIS WS-I

Web Service Security Web Service Management Future Enterprise SOA trends

Web 2.0, Ajax, SaaS


Where are we heading?


Web Services Standards

SOA Demo 1 – Real World SOA Many Vendors

IBM SUN Microsoft BEA etc..

How do they communicate with each other? Standards!!


Web Services Standards

Tale of “many vendors” Do “it our way” – or else we can not assist you!

IBM, Sun & Microsoft was instrumental in creating the first drafts.

Who owns the standards? OASIS - Organization for the

Advancement of Structured Information Standards.


OASIS

OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML).

OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards.


Implementing OASIS standards

What does the OASIS standards try to address? Interoperability Common methodology Increase efficiency

Is there a specialized body that’s taken the responsibility of implementing these OASIS standards?


WS-I

WS-I Interoperability The Web Services-Interoperability

Organization (WS-I) is an open, industry organization-chartered to promote Web services interoperability across platforms, operating systems, and programming languages.

WS- Basic Profile http://www.ws-i.org/Profiles/BasicProfile-1.0-

2004-04-16.html


WS-I Basic Profile

The WS-I Basic Profile defines an interoperable subset of the core Web services specifications, including XML Schema, SOAP 1.1 WSDL 1.1 UDDI 2.0,

by specifying refinements, interpretations, and clarifications of these specifications.


Basic Profile Specifications

Simple Object Access Protocol (SOAP) 1.1. Extensible Markup Language (XML) 1.0 (Second Edition). RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. RFC2965: HTTP State Management Mechanism. Web Services Description Language (WSDL) 1.1. XML Schema Part 1: Structures. XML Schema Part 2: Datatypes. The UDDI Version 2.04 API Published Specification, Dated 19 July 2002. UDDI Version 2.03 Data Structure Reference, Published Specification, Dated 19 July

2002. Version 2.0 UDDI XML Schema 2001. UDDI Version 2.03 Replication Specification, Published Specification, Dated 19 July

2002. Version 2.03 Replication XML Schema 2001. UDDI Version 2.03 XML Custody Schema. UDDI Version 2.01Operator's Specification, Published Specification, Dated 19 July 2002


Web Service Specifications

Web services specifications compose together to provide interoperable protocols for Security, Reliable Messaging, and Transactions in loosely coupled systems. The specifications

build on top of the core XML and SOAP standards.


Messaging Specifications

SOAP WS-Addressing MTOM (Attachments) WS-Eventing WS-Transfer SOAP-over-UDPSOAP 1.1 Binding for MTOM 1.0


Agenda



Web 2.0, Ajax, SaaS


Security Specifications

WS-Security: SOAP Message Security WS-Security: UsernameToken ProfileWS-Security: X.509 Certificate Token Profile WS-SecureConversation WS-SecurityPolicy WS-Trust WS-Federation WS-Security: Kerberos BindingWeb Single Sign-On Interoperability Profile


Web Services Security

OASIS Standard 1.1 The following documents make up the WS-

Security 1.1 OASIS standard.. WS-Security Core Specification 1.1 Username Token Profile 1.1 X.509 Token Profile 1.1 SAML Token profile 1.1 Kerberos Token Profile 1.1 Rights Expression Language (REL) Token Profil

e 1.1 SOAP with Attachments (SWA) Profile 1.1


What do they solve?

Authentication Authorization Non – repudiation

Digital Signatures & Sign messages Data Integrity

Hashing How do they implement it?

Using Token Multiple Implementations : SAML, Kerberos, Certificates

Custom tokens Certificates are issued by ‘trusted’ vendors – RSA, Verisign Kerberos token are used by Windows Operating System

manage user credentials


Vendor Implementation of WS Security Microsoft

Web Services Enhancements Windows Communication Framework

IBM – Soap Extensions to Web Sphere BEA Sun Java Every major vendor has implemented WS Security

to their programming stack Demo 2 – Microsoft WS Security Implementation

using WSE However, what is the standard way to exchange

these WS Security information programmatically? Is there a preferable markup language that we can use?


What is SAML?

Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization • Assertions:

Declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship.

The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).

Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP.

Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.

Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.

Implemented as tokens


WS Federation

Federated Security Model


Advantages of Federated Security Model

The flexibility of proving one set of credentials to a user (i.e. Certificate by the client) and converting it to another set of credentials (i.e. SAML token) can be utilized in many scenarios to add value to the customers.

We also have the flexibility of altering our internal (i.e. The client can provide username password pair to replace the certificate) but our external implementation of the claims will not be changed. (i.e. The broker will still create the same SAML token with the username password pair).


More Specifications

Reliable Messaging SpecificationsWS-ReliableMessaging

Transaction SpecificationsWS-Coordination WS-AtomicTransaction WS-BusinessActivity


Agenda



Web 2.0, Ajax, SaaS


Web Services Management

“Web services enables heterogeneous software environment to share data to facilitate business needs. They support open standards (XML, SOAP, WSDL, UDDI) that will enable a "common communication platform" between distributed business partners.

Web services can be built on many software platforms. (Microsoft, Java, IBM). All implementations focus on the "creation" and the "consumption" of web services.

However, the concept of "managing the web service" is not explored in detail.


Web Service Management

Is there a framework to provide guidance to manage web services architecture? Demo 3

Is there a unified set of principals that can be used with heterogeneous technologies to manage web services on multiple software platforms?

Will WS-Management answer these questions? Can an agent framework be utilized to mange web services features – for example ‘security’?”


Web Service Management Specifications

Management Specifications WS-ManagementWS-Management Catalog

Business Process SpecificationsBPEL4WS (Business Process Execution Language for Web Services Specification)

Demo 4 – Managing SOA apps


Agenda



Web 2.0, Ajax, SaaS


Future SOA Trends

Rich UI Platforms / Smart Clients Ajax / Atlas

Web 2.0 Demo 5

Saas (Software as a Service) Not a product – but a service!

Why – more allocation of cost / more control over cost centers

Infrastructure as a Service Demo 6

Date post:	26-Dec-2015
Category:	Documents
Upload:	cecilia-robbins
View:	219 times
Download:	6 times

Web Service Standards, Security & Management Chris Peiris .

Documents