Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | cecilia-robbins |
View: | 219 times |
Download: | 6 times |
Web Service Standards, Security & Management
Chris Peiris
www.ChrisPeiris.com
11 Oct 2006 © ChrisPeiris.com 2
Agenda
Web Services Standards OASIS WS-I
Web Service Security Web Service Management Future Enterprise SOA trends
Web 2.0, Ajax, SaaS
11 Oct 2006 © ChrisPeiris.com 3
Where are we heading?
11 Oct 2006 © ChrisPeiris.com 4
Web Services Standards
SOA Demo 1 – Real World SOA Many Vendors
IBM SUN Microsoft BEA etc..
How do they communicate with each other? Standards!!
11 Oct 2006 © ChrisPeiris.com 5
Web Services Standards
Tale of “many vendors” Do “it our way” – or else we can not assist you!
IBM, Sun & Microsoft was instrumental in creating the first drafts.
Who owns the standards? OASIS - Organization for the
Advancement of Structured Information Standards.
11 Oct 2006 © ChrisPeiris.com 6
OASIS
OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML).
OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards.
11 Oct 2006 © ChrisPeiris.com 7
Implementing OASIS standards
What does the OASIS standards try to address? Interoperability Common methodology Increase efficiency
Is there a specialized body that’s taken the responsibility of implementing these OASIS standards?
11 Oct 2006 © ChrisPeiris.com 8
WS-I
WS-I Interoperability The Web Services-Interoperability
Organization (WS-I) is an open, industry organization-chartered to promote Web services interoperability across platforms, operating systems, and programming languages.
WS- Basic Profile http://www.ws-i.org/Profiles/BasicProfile-1.0-
2004-04-16.html
11 Oct 2006 © ChrisPeiris.com 9
WS-I Basic Profile
The WS-I Basic Profile defines an interoperable subset of the core Web services specifications, including XML Schema, SOAP 1.1 WSDL 1.1 UDDI 2.0,
by specifying refinements, interpretations, and clarifications of these specifications.
11 Oct 2006 © ChrisPeiris.com 10
Basic Profile Specifications
Simple Object Access Protocol (SOAP) 1.1. Extensible Markup Language (XML) 1.0 (Second Edition). RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. RFC2965: HTTP State Management Mechanism. Web Services Description Language (WSDL) 1.1. XML Schema Part 1: Structures. XML Schema Part 2: Datatypes. The UDDI Version 2.04 API Published Specification, Dated 19 July 2002. UDDI Version 2.03 Data Structure Reference, Published Specification, Dated 19 July
2002. Version 2.0 UDDI XML Schema 2001. UDDI Version 2.03 Replication Specification, Published Specification, Dated 19 July
2002. Version 2.03 Replication XML Schema 2001. UDDI Version 2.03 XML Custody Schema. UDDI Version 2.01Operator's Specification, Published Specification, Dated 19 July 2002
11 Oct 2006 © ChrisPeiris.com 11
Web Service Specifications
Web services specifications compose together to provide interoperable protocols for Security, Reliable Messaging, and Transactions in loosely coupled systems. The specifications
build on top of the core XML and SOAP standards.
11 Oct 2006 © ChrisPeiris.com 12
Messaging Specifications
SOAP WS-Addressing MTOM (Attachments) WS-Eventing WS-Transfer SOAP-over-UDPSOAP 1.1 Binding for MTOM 1.0
11 Oct 2006 © ChrisPeiris.com 13
Agenda
Web Services Standards OASIS WS-I
Web Service Security Web Service Management Future Enterprise SOA trends
Web 2.0, Ajax, SaaS
11 Oct 2006 © ChrisPeiris.com 14
Security Specifications
WS-Security: SOAP Message Security WS-Security: UsernameToken ProfileWS-Security: X.509 Certificate Token Profile WS-SecureConversation WS-SecurityPolicy WS-Trust WS-Federation WS-Security: Kerberos BindingWeb Single Sign-On Interoperability Profile
11 Oct 2006 © ChrisPeiris.com 15
Web Services Security
OASIS Standard 1.1 The following documents make up the WS-
Security 1.1 OASIS standard.. WS-Security Core Specification 1.1 Username Token Profile 1.1 X.509 Token Profile 1.1 SAML Token profile 1.1 Kerberos Token Profile 1.1 Rights Expression Language (REL) Token Profil
e 1.1 SOAP with Attachments (SWA) Profile 1.1
11 Oct 2006 © ChrisPeiris.com 16
What do they solve?
Authentication Authorization Non – repudiation
Digital Signatures & Sign messages Data Integrity
Hashing How do they implement it?
Using Token Multiple Implementations : SAML, Kerberos, Certificates
Custom tokens Certificates are issued by ‘trusted’ vendors – RSA, Verisign Kerberos token are used by Windows Operating System
manage user credentials
11 Oct 2006 © ChrisPeiris.com 17
Vendor Implementation of WS Security Microsoft
Web Services Enhancements Windows Communication Framework
IBM – Soap Extensions to Web Sphere BEA Sun Java Every major vendor has implemented WS Security
to their programming stack Demo 2 – Microsoft WS Security Implementation
using WSE However, what is the standard way to exchange
these WS Security information programmatically? Is there a preferable markup language that we can use?
11 Oct 2006 © ChrisPeiris.com 18
What is SAML?
Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization • Assertions:
Declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship.
The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).
Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP.
Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.
Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.
Implemented as tokens
11 Oct 2006 © ChrisPeiris.com 19
WS Federation
Federated Security Model
11 Oct 2006 © ChrisPeiris.com 20
Advantages of Federated Security Model
The flexibility of proving one set of credentials to a user (i.e. Certificate by the client) and converting it to another set of credentials (i.e. SAML token) can be utilized in many scenarios to add value to the customers.
We also have the flexibility of altering our internal (i.e. The client can provide username password pair to replace the certificate) but our external implementation of the claims will not be changed. (i.e. The broker will still create the same SAML token with the username password pair).
11 Oct 2006 © ChrisPeiris.com 21
More Specifications
Reliable Messaging SpecificationsWS-ReliableMessaging
Transaction SpecificationsWS-Coordination WS-AtomicTransaction WS-BusinessActivity
11 Oct 2006 © ChrisPeiris.com 22
Agenda
Web Services Standards OASIS WS-I
Web Service Security Web Service Management Future Enterprise SOA trends
Web 2.0, Ajax, SaaS
11 Oct 2006 © ChrisPeiris.com 23
Web Services Management
“Web services enables heterogeneous software environment to share data to facilitate business needs. They support open standards (XML, SOAP, WSDL, UDDI) that will enable a "common communication platform" between distributed business partners.
Web services can be built on many software platforms. (Microsoft, Java, IBM). All implementations focus on the "creation" and the "consumption" of web services.
However, the concept of "managing the web service" is not explored in detail.
11 Oct 2006 © ChrisPeiris.com 24
Web Service Management
Is there a framework to provide guidance to manage web services architecture? Demo 3
Is there a unified set of principals that can be used with heterogeneous technologies to manage web services on multiple software platforms?
Will WS-Management answer these questions? Can an agent framework be utilized to mange web services features – for example ‘security’?”
11 Oct 2006 © ChrisPeiris.com 25
Web Service Management Specifications
Management Specifications WS-ManagementWS-Management Catalog
Business Process SpecificationsBPEL4WS (Business Process Execution Language for Web Services Specification)
Demo 4 – Managing SOA apps
11 Oct 2006 © ChrisPeiris.com 26
Agenda
Web Services Standards OASIS WS-I
Web Service Security Web Service Management Future Enterprise SOA trends
Web 2.0, Ajax, SaaS
11 Oct 2006 © ChrisPeiris.com 27
Future SOA Trends
Rich UI Platforms / Smart Clients Ajax / Atlas
Web 2.0 Demo 5
Saas (Software as a Service) Not a product – but a service!
Why – more allocation of cost / more control over cost centers
Infrastructure as a Service Demo 6