Course Content
Web-Services Enterprise QOS
Introduction
- WS-* Specifications (Generic specs)
- WS-Policy
- WS-Addressing
- WS-Routing
- Interoperability (WSIT) & WS-* Specifications for Security, Reliability, Transaction
- WS-I
- WSIT (Project Tango) Overview
- Web Services Transaction
Security Basics
- Common Security Threats
- Identity Interception
- Replay Attack
- Data Interception and manipulation
- Repudiation
- Denial Of Service
- Network Security Needs
- Authentication
- Access Control
- Data Confidentiality
- Data Integrity
- Non Repudiation
- Auditing
Codifying security policies
- Introducing declarative security
- Policy consolidation for planning and consistent enforcement
- Use at design time to ensure interoperability
- Use at runtime to ensure interoperability
Canonical XML and Exclusive XML
Canonicalization
- Introduction
- Canonicalizing an XML document
- Exclusive XML Canonicalization
- Problematic Scenarios
SAML and XACML
- SAML History and Overview
- SAML 2.0 New Features
- SAML-related features in XACML
- SAML in Web Services Security
- Assertions
- Bindings
- Profiles
- Protocols
Using digital signatures
- The basics of XML signatures
- Challenges in signing XML
- XML canonicalization
- Signing SOAP messages
- Signing order creation request
- Sender-side implementation
- Receiver-side implementation
- Practical issues with signatures
- Three rules of signatures
- Mixing encryption and signatures
- Which canonicalization scheme?
- Protecting confidentiality of messages using encryption
Encryption in action
- The basics of encryption
- Types of encryption algorithms
- PKI: A framework for encryption
- Programming with digital certificates
- Creating digital certificates
- Point to point encryption with digital certificates (SSL/TLS)
- Java APIs for encryption
- Encrypting SOAP messages
- Sending user credentials with selective encryption
- Encrypting-side implementation
- Decrypting-side implementation
- Practical issues with encryption
Extending SOAP for security
- Finding the right approach for security in SOAP
- Lessons from web authentication schemes
- Authentication at the HTTP layer
- Choices for security implementation in SOAP
- Extending SOAP with headers
- Anatomy of a SOAP header
- Standard header entry attributes
- WS-Security: The standard extension for security
- Introduction to WS-Security
- Identifying a brokerage service user
- Processing SOAP extensions using handlers
- How handlers work
- Outline of the solution
- Implementing a server-side JAX-WS handler
- Implementing a client-side JAX-WS handler
- Handler chains
- Configuring handlers and handler chains
- Processing SOAP extensions using intermediaries
- Preserving the endpoint information: WS-Addressing
SOAP processing rules for
intermediaries
- SOAP Extensions
- What should go into the headers?
- How do we standardize on headers?
- How many handlers?
- How do we support handlers? s with selective encryption
Declarative Security
- Interoperability challenges in SOA security
- Sources of incompatibility
- Solving Incompatibilities
- WS-I basic security profile
WS-Policy
- Discovering Policies
- Policy Attachment Points
- Effective Policy
- WS-MetadataExchange
WS-Security Policy
- WS-SecurityPolicy:Subjectbased Classification
- WS-SecurityPolicy: Functional Classification
- Classification of WS-SecurityPolicy
- Assertions
Security Binding or Security Patterns
- WS-Security and WS-Trust Conformance
- Supporting Token Assertions
- Security Assertion for messages
- Token Assertions(Lower level Assertions)
- "Implementation" to an "interface"
WS-Security Internals
- WSS: SOAP Message Security-Binary Security Token
- WSS: SOAP Message Security-Username Token(Default)
- WSS: SOAP Message Security-Username Token(Hashed)
- WSS: SOAP Message Security-Timestamp
- WSS: SOAP Message Security-Security Token Reference
- WSS: SOAP Message Security-Direct Reference
- WSS: SOAP Message Security-Key Identifier
- WSS: SOAP Message Security-X.509 Certificate
- WSS: SOAP Message Security-X.509 Certificate(Issuer Serial)
- WSS: SOAP Message Security-X.509 Certificate(Thumb print)
- WSS: SOAP Message Security
- wssonc:DerivedKeyToken
WS-SECURITY POLICY Internals
- Token Assertions(Lower level Assertions)-Common Properties
- Security Binding or Security Patterns
- Security Binding or Security Patterns-Properties
- Security Binding or Security Patterns-Properties(Protection Order)
- Security Binding or Security Patterns-Properties(Layout)
- Security Binding or Security Patterns-Symmetric Binding
- Security Binding(Processing Sequence)
- Security Binding or Security Patterns-Asymmetric Binding
- Security Binding(Processing Sequence)
- Security Binding or Security Patterns-Transport Binding
Supporting Token Assertions
- SupportingTokensAssertion
- SignedSupportingTokensAssertion
- EndorsingSupportingTokensAssertion
- SignedEndorsingSupportingTokensAssertion
- SignedEncryptedSupportingTokensAssertion
- EncryptedSupportingTokensAssertion
- EndorsingEncryptedSupportingTokensAssertion
- SignedEndorsingEncryptedSupportingTokensAssertion
Direct Authentication Architecture
Security As a Service
- Security As a Service-Who invokes the security service?
- Security As a Service-What is the interface for the security service?
WS-Trust
- WS-Trust:
- RequestSecurityToken:Constituens
- WS-Trust:-RequestSecurityToken:Constituens
- WS-Trust:-RequestSecurityTokenResponse:Constituents
- SAML protocol
- Conveying the findings of a security service: SAML
- SAML assertion basics
- AuthenticationStatement
- Asserting authentication results
- AttributeStatement:Asserting user attributes
- AuthorizationDecisionStatement:Asserting authorization decisions
- Security as a service-How is the security context communicated to
- the destination endpoint?
Secure Conversation
- Security as a Service-Issued Token
- Security as a Service-Issued Token(ISSUED TOKEN STEP)
- Security as a Service-Issued Token With Service Certificate
- Security as a Service-STS Issued Endorsing Token
- Security as a Service-Issued Token with SC
- Security as a Service-Brokered Trust
- Security as a Service-STS with SC
Designing SOA security for a real-world
enterprise
- Meeting the demands of enterprise IT environments
- Large and diverse user base
- Long life cycle
- Robustness
- Manageability Integration with diverse legacy applications
- Securing diverse services
- Services developed from scratch
- Services wrapping legacy applications
- Services composed of other services
- Choosing a deployment architecture
- For securing services in the intranet
- For securing services offered to the public
- For securing services offered to/by partners
- Making the solution industrial-strength
- Performance
- Scalability
- Availability
- Vulnerability management
- Common vulnerabilities
- XML-specific vulnerabilities
- Vulnerability remediation workflow
Governance and Security
- Registry and Repository
- Registry and Repository Standards
- Security and Policy Enforcement
- High Level Patterns of Security