1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.

1

Web Service and Security

Lilly Wang

2

Agenda

Brief introduction to web service Web service security Wireless web service

3

Software Evolution

Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system

4

Web Service Basics

5

What is web service?

Self contained Self described (WSDL) Interoperable standard interfaces Dynamically discovered (UDDI)

6

Web Service Characteristics

Openly accessible over Internet Use XML messages for communication Loosely-coupled architecture Involve one or more intermediaries Heterogeneous in implementation technologies

7

Business Point of View

Requestor

Registry

Provider

find

bind

publish

8

Developer’s Point of View

How to achieve interoperability How to transport data How to achieve high performance

Web service can be any piece of software that makes itself available over the Internet using standardized web service messaging system and interface

9

Architecture

Requestor

Registry

Provider

WSDL

SOAP

WSDL

UDDI

10

SOAP Simple Object Access Protocol Original used for RPC High-level protocol that defines only the

message structure and a few simple rules for message processing

Data packed inside SOAP message for transporting over the network

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

11

WSDL

Web Service Description Language Service description component A specification for describing a service

provided or searching http://www.w3.org/TR/2001/NOTE-

wsdl-20010315

12

UDDI Universal Description Discovery

Integration A technical spec for business registry Data stored in standardized XML format APIs for searching UDDI Business Registry is a fully

operational implementation of the UDDI spec

http://www.oreillynet.com/lpt/a//webservices/2002/02/12/webservicefaqs.html

13

Types of Web services

Remote Procedure Call (RPC) type

Call parameters and return values are serialized in SOAP messages. Data types are supported by XML schema.

Document messaging (DOC) type Operate in asynchronous mode. Similar to

mailing lists robots. Good for mobile.

14

Web Service Security

15

Security Basics

Authentication Access Control Authorization Data Integrity Non-repudiation

16

Basic Security Mechanism

Symmetric/Asymmetric Key Encryption Message Digest Message Authentication Codes (MAC) Digital Signature Digital Certificate

17

Web Service Security

Technologies X.509 Certificate (RFC 2585) SSL/TLS (RFC 2246) Kerberos Tickets (RFC 1510) XML Signature (http://www.xml.com/pub/a/2001/08/08/xmldsig.html) XML Encryption (http://www.aleksey.com/xmlsec/) XML-based security token (SAML format ) (http://www.aleksey.com/xmlsc/)

18

Web Service Security Challenges

SOAP messages can be sent using different transport applications or protocols

There could be legitimate intermediaries that might need to access a part or whole of SOAP messages

19

Point-to-Point Security

Requester Intermediary Web Service

Security Context

Security Context

20

End-to-End Security

Requester Intermediary Web Service

Security Context

21

Proposed Security Specification

Initial Specifications WS-Security WS-Policy WS-Trust WS-Privacy

Follow-on Specifications

WS-SecureConversation WS-Federation WS-Authorization

22

WS-Security is the foundation for all of the other

specs provides end-to-end message-level

security for SOAP messages defines a SOAP Header element to

carry security-related data SecurityToken defined under

<Security> tag, containing <UsenameToken> and <BinarySecurityToken>

23

WS-Security

Message integrity is provided by XML Signature and security tokens

Message confidentiality is provided by XML Encryption with security tokens

24

WS-Security

25

WS-Policy

<SecurityToken> - what type, which issuer

<Integrity> - options for digital signature

<Confidentiality> - options for encryption algorithm

<Visibility> - Which portion of the message must be unencrypted

Specify how senders and receivers agree on the security requirements

and capabilities

26

WS-Trust

Defines a way to use SOAP to talk to a KDC, CA or any other security token service center

Use <RequestSecurityToken> and <RequestSecurityTokenResponse> elements

The model for establishing both direct and brokered trust relationship

27

WS-Privacy – defines the privacy policies, such as ACL and delegation

WS-SecureConversation – defines XML types and interactions that allows a the establishment of a security context and the creation of keys that are specific to that context

28

WS-Federation – defines how to construct federated trust among different securitytoken service centers

WS-Authorization – describes how access policies for a web service are specified and managed

29

Where are we now ?

30

Wireless Web Service

31

SOAP

Light-weighted protocol

Exchange structured information in a decentralized, distributed environment

Use XML as message framework

Interoperable among different system

32

SOAP

33

Why SOAP ?

Provide rich data types (more than 40)

Support various messaging schemes

Bind with other protocols/standards

34

Java APIs for XML

Document-oriented• JAXP • JAXB

Procedure-oriented• JAX-RPC • JAXM • JAXR

35

JAXP Java APIs for XML Processing XML Parser Support XSLT Include

SAX Parser (event-based parser) DOM Parser (tree-based)

36

JAXB Java Architecture for XML Binding Provide mapping between XML documents

and Java objects Based on XML Schema/DTD to build Java

Object

37

JAXP vs JAXBUse JAXB when

• Access data in memory, but do not need tree manipulation capabilities

• Process only data that is valid

• Convert data to different types

• Generate classes based on a DTD

• Build object representations of XML data.

38

JAXP vs JAXBUse JAXP when

• Have flexibility with regard to the way you access the data: either serially with SAX or randomly in memory with DOM

• Use your same processing code with documents based on different DTDs

• Parse documents that are not necessarily valid

• Apply XSLT transforms

• Insert or remove objects from an object tree that represents XML data

39

JAXM Java API for XML Messaging SAAJ (SOAP with Attachments API for Java) 1.1 is the

javax.xml.soap package for creating SOAP messages, adding message content, and extracting message content.

JAXM 1.1 is the javax.xml.messaging package for using a messaging provider and to send one-way messages. It is always used in conjunction with the SAAJ 1.1 API.

40

JAXR JavaTM API for XML Registries provides a convenient way to access standard

business registries over the Internet.

41

JAX-RPC Java™ API for XML-based RPC Is a collection of procedures that can

be called by a remote client over the Internet

Supports SOAP 1.2 and WSDL

42

What you need for J2ME Web Service ?

Server Side Apache Axis ( for SOAP parsing) Web Service tool kit ( e.e WSDK)

Client Side kSOAP / JSR 172

Wireless Toolkit

43

kSOAP

A parser based on kXML kSOAP 1.2 supports SOAP 1.2

44

JSR 172

Provide subset of JAXP Provide subset of JAX-RPC Will be released on summer, 2003

45

Wireless Web Service Security ?

Just start Simple XML digital

signature can be done Need to use third-party

APIs

46

Reference

[1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823-wireless.html

[2]http://www106.ibm.com/developerworks/webservices/library/ws-sec1.html?dwzone=webservices

[3]http://www106.ibm.com/developerworks/webservices/library

ws-secroad/?dwzone=webservices[4] http://msdn.microsoft.com/library/default.asp?

url=/library/en-us/dnwssecur/html/securitywhitepaper.asp