Transcript Slide 1

Web Service and Security
Lilly Wang
1
Agenda
Brief introduction to web service
Web service security
Wireless web service
2
Software Evolution
Main frame based
Two-Tier Client Server
Web-based N-tier Client Server
Web centric highly distributed system
3
Web Service Basics
4
What is web service?
Self contained
Self described (WSDL)
Interoperable standard interfaces
Dynamically discovered (UDDI)
5
Web Service Characteristics
Openly accessible over Internet
Use XML messages for communication
Loosely-coupled architecture
Involve one or more intermediaries
Heterogeneous in implementation technologies
6
Business Point of View
Registry
find
Requestor
publish
bind
Provider
7
Developer’s Point of View
How to achieve interoperability
How to transport data
How to achieve high performance
Web service can be any piece of software
that makes itself available over the Internet
using standardized web service messaging
system and interface
8
Architecture
UDDI
Registry
WSDL
Requestor
WSDL
SOAP
Provider
9
SOAP
Simple Object Access Protocol
Original used for RPC
High-level protocol that defines only the message
structure and a few simple rules for message processing
Data packed inside SOAP message for transporting
over the network
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
10
WSDL
Web Service Description Language
Service description component
A specification for describing a service
provided or searching
http://www.w3.org/TR/2001/NOTE-wsdl20010315
11
UDDI
Universal Description Discovery Integration
A technical spec for business registry
Data stored in standardized XML format
APIs for searching
UDDI Business Registry is a fully operational
implementation of the UDDI spec
http://www.oreillynet.com/lpt/a//webservices/2002/02
/12/webservicefaqs.html
12
Types of Web services
Remote Procedure Call (RPC) type
Call parameters and return values are serialized in
SOAP messages. Data types are supported by XML
schema.
Document messaging (DOC) type
Operate in asynchronous mode. Similar to mailing lists
robots. Good for mobile.
13
Web Service Security
14
Security Basics
Authentication
Access Control
Authorization
Data Integrity
Non-repudiation
15
Basic Security Mechanism
Symmetric/Asymmetric Key Encryption
Message Digest
Message Authentication Codes (MAC)
Digital Signature
Digital Certificate
16
Web Service
Security Technologies
X.509 Certificate (RFC 2585)
SSL/TLS (RFC 2246)
Kerberos Tickets (RFC 1510)
XML Signature
(http://www.xml.com/pub/a/2001/08/08/xmldsig.html)
XML Encryption (http://www.aleksey.com/xmlsec/)
XML-based security token (SAML format )
(http://www.aleksey.com/xmlsc/)
17
Web Service Security Challenges
SOAP messages can be sent using different
transport applications or protocols
There could be legitimate intermediaries that
might need to access a part or whole of SOAP
messages
18
Point-to-Point Security
Security
Context
Requester
Security
Context
Intermediary
Web Service
19
End-to-End Security
Security Context
Requester
Intermediary
Web Service
20
Proposed Security Specification
Initial Specifications
WS-Security
WS-Policy
WS-Trust
WS-Privacy
Follow-on Specifications
WS-SecureConversation
WS-Federation
WS-Authorization
21
WS-Security
is the foundation for all of the other specs
provides end-to-end message-level security for
SOAP messages
defines a SOAP Header element to carry
security-related data
SecurityToken defined under <Security> tag,
containing <UsenameToken> and
<BinarySecurityToken>
22
WS-Security
Message integrity is provided by XML
Signature and security tokens
Message confidentiality is provided by
XML Encryption with security tokens
23
WS-Security
24
WS-Policy
Specify how senders and receivers agree on the
security requirements and capabilities
<SecurityToken> - what type, which issuer
<Integrity> - options for digital signature
<Confidentiality> - options for encryption
algorithm
<Visibility> - Which portion of the message
must be unencrypted
25
WS-Trust
The model for establishing both direct and
brokered trust relationship
Defines a way to use SOAP to talk to a KDC,
CA or any other security token service center
Use <RequestSecurityToken> and
<RequestSecurityTokenResponse> elements
26
WS-Privacy – defines the privacy
policies, such as ACL and delegation
WS-SecureConversation – defines XML
types and interactions that allows a the
establishment of a security context and
the creation of keys that are specific to
that context
27
WS-Federation – defines how to
construct federated trust among
different securitytoken service centers
WS-Authorization – describes how
access policies for a web service are
specified and managed
28
Where are we now ?
29
Wireless Web Service
30
SOAP
Light-weighted protocol
Exchange structured information in a
decentralized, distributed environment
Use XML as message framework
Interoperable among different system
31
SOAP
32
Why SOAP ?
Provide rich data types (more than 40)
Support various messaging schemes
Bind with other protocols/standards
33
Java APIs for XML
Document-oriented
• JAXP
• JAXB
Procedure-oriented
• JAX-RPC
• JAXM
• JAXR
34
JAXP
Java APIs for XML Processing
XML Parser
Support XSLT
Include
 SAX Parser (event-based parser)
 DOM Parser (tree-based)
35
JAXB
Java Architecture for XML Binding
Provide mapping between XML documents
and Java objects
Based on XML Schema/DTD to build Java
Object
36
JAXP vs JAXB
Use JAXB when
• Access data in memory, but do not need tree
manipulation capabilities
• Process only data that is valid
• Convert data to different types
• Generate classes based on a DTD
• Build object representations of XML data.
37
JAXP vs JAXB
Use JAXP when
• Have flexibility with regard to the way you access the
data: either serially with SAX or randomly in
memory with DOM
• Use your same processing code with documents
based on different DTDs
• Parse documents that are not necessarily valid
• Apply XSLT transforms
• Insert or remove objects from an object tree that
represents XML data
38
JAXM
Java API for XML Messaging
SAAJ (SOAP with Attachments API for Java) 1.1 is the
javax.xml.soap package for creating SOAP messages,
adding message content, and extracting message
content.
JAXM 1.1 is the javax.xml.messaging package for
using a messaging provider and to send one-way
messages. It is always used in conjunction with the
SAAJ 1.1 API.
39
JAXR
JavaTM API for XML Registries
provides a convenient way to access standard
business registries over the Internet.
40
JAX-RPC
Java™ API for XML-based RPC
Is a collection of procedures that can be called by
a remote client over the Internet
Supports SOAP 1.2 and WSDL
41
What you need for J2ME
Web Service ?
Server Side
Apache Axis ( for SOAP parsing)
Web Service tool kit ( e.e WSDK)
Client Side
kSOAP / JSR 172
Wireless Toolkit
42
kSOAP
A parser based on kXML
kSOAP 1.2 supports SOAP 1.2
43
JSR 172
Provide subset of JAXP
Provide subset of JAX-RPC
Will be released on summer, 2003
44
Wireless Web Service Security ?
Just start
Simple XML digital signature can be
done
Need to use third-party APIs
45
Reference
[1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823wireless.html
[2]http://www106.ibm.com/developerworks/webservices/library/wssec1.html?dwzone=webservices
[3]http://www106.ibm.com/developerworks/webservices/library
ws-secroad/?dwzone=webservices
[4] http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnwssecur/html/securitywhitepaper.asp
46