Transcript Lecture 15 - The University of Texas at Dallas

Trustworthy
Semantic Webs
Lecture #16: Web Services and Security
Dr. Bhavani Thuraisingham
October 2006
4/8/2016 17:55
16-2
Outline
0 Web Services
0 Service Oriented Architectures
0 Web Services Description Language
0 UDDI
0 SOAP
0 WSDL with XML
0 Security
0 OASIS
0 Federated identity
0 Directions
0 http://www.service-architecture.com/articles/index.html
4/8/2016 17:55
16-3
Web Services Definition
0 Web Services refers to the technologies that allow for making
0
0
0
0
connections.
Services are what you connect together using Web Services.
A service is the endpoint of a connection.
Also, a service has some type of underlying computer system
that supports the connection offered.
The combination of services - internal and external to an
organization - make up a service-oriented architecture.
4/8/2016 17:55
16-4
Service Oriented Architectures (SOA)
0 A service-oriented architecture is essentially a collection of services.
0 These services communicate with each other.
0 The communication can involve either simple data passing or it
could involve two or more services coordinating some activity. Some
means of connecting services to each other is needed.
0 Service-oriented architectures are not a new thing. The first service-
oriented architecture for many people in the past was with the use
DCOM or Object Request Brokers (ORBs) based on the CORBA
specification.
0 If a service-oriented architecture is to be effective, we need a clear
understanding of the term service.
0 A service is a function that is well-defined, self-contained, and does
not depend on the context or state of other services
4/8/2016 17:55
16-5
Service Oriented Architectures
0 The technology of web services is the most likely connection
0
0
0
0
0
technology of service-oriented architectures.
Web services essentially use XML Technology create a robust
connection.
A service consumer sends a service request message to a
service provider
The service provider returns a response message to the
service consumer.
The request and subsequent response connections are
defined in some way that is understandable to both the
service consumer and service provider.
A service provider can also be a service consumer.
4/8/2016 17:55
16-6
Web Services Description Language
0 The Web Services Description Language (WSDL) forms the basis for
Web Services. The steps involved in providing and consuming a
service are:
- A service provider describes its service using WSDL. This definition is
published to a directory of services. The directory could use Universal
Description, Discovery, and Integration (UDDI). Other forms of
directories can also be used.
- A service consumer issues one or more queries to the directory to locate
a service and determine how to communicate with that service.
- Part of the WSDL provided by the service provider is passed to the
service consumer. This tells the service consumer what the requests
and responses are for the service provider.
- The service consumer uses the WSDL to send a request to the service
provider.
- The service provider provides the expected response to the service
consumer.
4/8/2016 17:55
16-7
UDDI
0 The UDDI registry is intended to eventually serve as a means
of "discovering" Web Services described using WSDL .
0 The idea is that the UDDI registry can be searched in various
ways to obtain contact information and the Web Services
available for various organizations.
0 UDDI registry is a way to keep up-to-date on the Web Services
your organization currently uses
0 Alternative to UDDI is ebXML Directory
4/8/2016 17:55
16-8
SOAP
0 All the messages are sent using SOAP. (SOAP at one time
0
0
0
0
stood for Simple Object Access Protocol; Now, the letters in
the acronym have no particular meaning .)
SOAP essentially provides the envelope for sending the Web
Services messages.
SOAP generally uses HTTP , but other means of connection
may be used.
HTTP is the familiar connection we all use for the Internet.
It is the pervasiveness of HTTP connections that will help
drive the adoption of Web Services.
4/8/2016 17:55
16-9
WDSL with XML
0 WSDL uses XML to define messages.
0 XML has a tagged message format.
0 Both the service provider and service consumer use these
tags.
0 In fact, the service provider could send the data in any order.
0 The service consumer uses the tags and not the order of the
data to get the data values.
4/8/2016 17:55
16-10
Security
0 Security and authorization is a important topic with Web
Services.
0 In fact, security and authorization specifications are currently
in flux. This is often the reason cited for not proceeding with
any work related to Web Services. Therefore, we need
experimentation.
0 Much can be done without having the specifications
complete. Nearly all organizations should be able to find
some areas to experiment with Web Services that have low
requirements for security and authorization.
4/8/2016 17:55
16-11
Security
0 Security and authorization specifications include:
-
eXtensible Access Control Markup Language (XACML)
eXtensible Rights Markup Language (XrML)
Security Assertion Markup Language (SAML)
Service Protection Markup Language (SPML)
Web Services Security (WSS)
XML Common Biometric Format (XCBF)
XML Key Management Specification (XKMS)
4/8/2016 17:55
16-12
Security
0 Firewalls
- Specialized XML firewalls offer the promise of protecting
internal systems when using Web Services.
- Traditional firewalls offer protection at the packet level
and do not examine the contents of messages.
- XML firewalls, on the other hand, examine the contents of
messages. This includes the SOAP headers and the XML
content.
- They are designed to permit authorized content to pass
through the firewall.
4/8/2016 17:55
16-13
Security: Examples XACML, SAML, WSS
0 XACML (OASIS Spec)
- eXtensible Access Control Markup Language (XACML) provides
fine grained control of authorized activities, the effect of
characteristics of the access requestor, the protocol over which
the request is made, authorization based on classes of activities,
and content introspection.
0 SAML (OASIS Spec)
- It is an XML framework for exchanging authentication and
authorization information. It is used with WSS
0 WSS (OASIS Spec)
- It describes enhancements to SOAP messaging in order to
provide quality of protection through message integrity, and
single message authentication. These mechanisms can be used
to accommodate a wide variety of security models and
encryption technologies.
4/8/2016 17:55
16-14
OASIS
0 Organization for the Advancement of Structured Information
Standards (OASIS)
0 OASIS is a not-for-profit, global consortium that drives the
development, convergence, and adoption of e-business standards.
0 Members themselves set the OASIS technical agenda, using a
lightweight, open process expressly designed to promote industry
consensus and unite disparate efforts.
0 OASIS produces worldwide standards for security, Web Services,
XML conformance, business transactions, electronic publishing,
topic maps, and interoperability within and between marketplaces.
OASIS also hosts XML.org, which provides information about the
application of XML, and The Cover Pages which is a reference
collection supporting the SGML/XML family of markup language
standards and their application.
4/8/2016 17:55
16-15
Federated Identity
0 Federated identity allows users to link identity information
between accounts without centrally storing personal
information.
0 Also, users can control when and how their accounts and
attributes are linked and shared between domains and
Service Providers, allowing for greater control over their
personal data.
0 In practice, this means that users can be authenticated by one
company or Web site and be recognized and delivered
personalized content and services in other locations without
having to re-authenticate or sign on with a separate username
and password.
0 Standards include Identity Web Services Framework (I-WSF)
4/8/2016 17:55
16-16
Directions
0 Security for Web Services and Service Oriented Architectures
0 Confidentiality, Privacy and Trust Management for SOA
0 Model, Policy Language, Risk Analysis and Economics