Transcript Slide 1
Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved Agenda Introduction to WS-I Value proposition, goals and deliverables What is a profile? Philosophy of a profile WS-I profiles and technical highlights Building Secure Applications 2 WS-I An open industry effort Chartered to advance Web services interoperability across platforms, applications and programming languages Broad participation Users, software vendors, consultants, industry organizations, etc. Establish best practices for achieving interoperability Based on existing and broadly supported standards Cooperate with standards development organizations Consume standards, address industry organization requirements 3 WS-I: Goals • Achieve Web services interoperability Provide a visible representation of conformance for a selected set of composable standards • Accelerate Web services deployment Offer implementation guidance and Best Practices Deliver tools and sample applications Provide an implementer’s forum where developers can collaborate • Encourage Web services adoption Provide a forum for end users to communicate requirements Raise awareness of customer business requirements 4 WS-I: Deliverables Profiles Defined set of specifications or standards at specific version levels Guidelines and conventions for using these specifications together in ways that ensure interoperability Sample applications Use cases and usage scenarios based on customer requirements Sample code and applications built in multiple environments Demonstrate profile-based interoperability Test tools and supporting materials Tools that test profile implementations for conformance with the profiles Supporting documentation and white papers 5 WS-I: Delivered to Date Final Material Basic Profile 1.0 and 1.1, Basic Security Profile 1.0, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0 Sample Application Implementations 1.0 Testing Tools 1.0 Security Challenges, Threats and Countermeasures Draft Material Basic Security Profile 1.1 REL and SAML Token Profiles 1.0 Testing Tools for the Basic Security Profile and Attachments Profile 6 What is a Profile? Named set of Web services Base specifications are normative Profiles add constraints and guidance as to their interoperable usage, based upon implementation experience Organized around base specification 7 Philosophy of a Profile No guarantee of interoperability Does not address application semantics Focus on testable requirements Makes strong requirements MUST vs. SHOULD Never relaxes requirements • Chooses among multiple mechanisms • Focus on interoperability • Conformance on measurable targets MESSAGE, DESCRIPTION, etc. • Addresses issues at application layer 8 Basic Profile 1.0 & 1.1 More than 200 interoperability issues resolved Reference specifications and standards include: SOAP 1.1 WSDL 1.1 UDDI 2.0 XML Schema XML 1.0 (Second Edition) HTTP 1.1 SSL 3.0 Other supporting referenced specifications and standards 9 Next Steps • WS-I has received ISO PAS Submitter status PAS == Publicly Available Specification • Basic Profile 1.1, Simple Soap Binding 1.0 and Attachments 1.0 have been submitted to ISO (Aug 2006) 10 Basic Security Profile 1.x • Security Challenges, Threats and Countermeasures (SCTC) – Identify security challenges • • • • Peer identification and authentication Data origin identification and authentication Data integrity and confidentiality Non-repudiation – Identify threats – Identify countermeasures • SSL/TLS, HTTP Basic, Digest and X509 cert auth • SOAP Message Security (WS-Security) • Usage scenarios defined • BSP 1.1 underway • Implementations widely available today 11 Developing Web Services Using WS-I Profiles & Materials • These next charts provide information you can use to develop/deploy Web services using the WS-I materials 12 Developing Web Services Using WS-I Profiles & Materials Do not use SOAP encoding Use only rpc- and document-literal styles Use the SOAP/HTTP binding Other bindings out of scope, but may be used However, interoperability issues may be encountered • Be sure that your tools use the WS-I WSDL schemas • Do not use wsdl:import to import XSD files • URI MUST point to a WSDL file (e.g. foo.wsdl) • Do not use xs:import to import a schema from a WSDL file • URI MUST point to a schema document (e.g. foo.xsd) 13 Developing Web Services Using WS-I Profiles & Materials • Adopt WS-I Conformance as an architectural policy for deployed Web services, especially those exposed to the extranet • Use your IDE to validate WS-I Profile conformance • If it doesn’t provide this, use the WS-I tools • Set your IDE’s WS-I conformance preferences • If there is no preference option for this, ask why not! • Use WS-I Usage Scenarios to design your interactions • Use the WS-I Sample Applications as templates for your services 14 Conformance Web service instance and artifacts only Not conformance of runtimes or development tools Conformance is based on profile specification Must be capable of passing WS-I Testing Tools Best indicator of conformance with profile(s) Tools do not cover all requirements Self-certification process Claimant tests instance and artifacts Others can run test tools to verify claim Resolve conformance bugs through usual update process 15 Leverage WS-I Usage Scenarios One-way messaging Fire and forget No SOAP response Synchronous message exchange Blocking Web services invocation SOAP request/response Basic callback Asynchronous call Pair of SOAP requests/responses Application-level message correlation 16 Web Services – a Simple View Business Processes Quality of Service Description Messaging Business Process Execution Language For Web Services (BPEL4WS) Reliability Transactions Management Security Web Services Description Language (WSDL) Simple Object Access Protocol (SOAP) Extensible Markup Language (XML) Other Protocols Other Services 17 Web Services and SOA Security Business Processes Business Process Execution Language WS-Coordination WS-Security WS-Reliable Messaging Quality of Service WS-Policy UDDI Description and Discovery Other protocols Other services Messaging and Encoding WS-Transactions WSDL SOAP, SOAP Attachments XML, XML Infoset Transports OASIS Secure eXchange TC WS-Secure Conversation Transport WS-Security Policy WS-Trust OASIS 1.0 WS-Security (framework) SAML Kerberos profile X.509 profile REL profile Liberty Mobile profile Username profile SAML profile 18 BSP Working Group • Chartered in March, 2003 • Three initial deliverables – Basic Security Profile 1.0, Final Material March 30, 2007 – Basic Security Profile 1.1, Working Group Approval Draft February 2007 – Security Scenarios • Based on Basic Profile 1.0 and the following technologies: – HTTP over TLS – SOAP with Attachments – WS Security and x.509, Username and Kerberos tokens 19