Secure Systems Research Group - FAU 1 Web Services Products and Tools Ingrid Buckley Dept. of Computer Science and Engineering Florida Atlantic University.

Secure Systems Research Group - FAU1

Web Services Products and Tools

Ingrid BuckleyDept. of Computer Science and Engineering

Florida Atlantic UniversityBoca Raton, FL, USA

April 18, 2007


AGENDA

• Objective• Introduction• Web Service Products

– Standards– Features

• Web Service Tools• Web Service Patterns• Conclusion


Objectives

• Evaluation of products and development tools used to create web services including their capabilities.

• Identifying areas that either have no support or can be better enhanced to increase the overall efficiency of the products and tools used in the development of web services.

• Providing some possible solutions.


Introduction• A Web Service is a component in a system designed to support interoperable machine to machine interaction over a network.

• Web services are frequently just Web APIs that can be accessed over a network, such as the

– Internet– executed on a remote system hosting the requested services.

• Web services communicate using XML messages that follow the SOAP standard.

• Web services are regulated by web service standards.


Web Service Products• Web services are generally used in two ways:

– for remote procedure calls (RPC) – Document Style

• Several products are available on the market that offer one or more of these functionalities.

• There are two basic architectural approaches for platforms that support web services: – Microsoft .NET– Sun ONE (J2EE)

• There are a variety of companies that develop products to implement web services, these include:– IBM, Microsoft, IONA, BEA, and SUN


Web Service Products

• Xtradyne - Xtradyne's WS-DBC

• IBM - Tivoli Identity Manager and Tivoli Access Manager

• IONA – Artix

• Netegrity - TransactionMinder

• Forum Sentry™ Web Services Security Suite

• Microsoft Trust Bridge

• BEA - BEA WebLogic Enterprise Security


Xtradyne - Xtradyne's WS-DBC

• The Web Services Domain Boundary Controller (WS-DBC) is an XML Firewall.

• It provides protection against malformed messages and malicious content, encryption/decryption of XML messages, XML digital signatures, authentication, authorization, and audit.

• It conforms to WS-Security, SAML WSDL, XML Digital Signatures standards.


IBM - Tivoli Identity Manager and Tivoli Access Manager

• Tivoli Identity Manager is a policy-based user

management solution.• Tivoli Access Manager is a policy-based access

control solution. • Provides authentication and authorization APIs that

allow integration with application platforms such as J2EE.

• This product conforms to WS-Federation and SAML

standards.


IONA – Artix

• Artix is an extensible Enterprise Service Bus (ESB). • It enables an enterprise to integrate and expose its

applications as web services.

• The security features include a role based access control mechanism, authentication, support with WS-Security, Single sign-on (SSO), Netegrity plugin, LDAP plugin, Active Directory Plug-In.

• It conforms to the WS-Security and SAML standards.


Netegrity - TransactionMinder

• TransactionMinder provides centralized authentication, policy-based authorization, and audit for web services transactions

• By intercepting requests made to web services, analyzing it and communicating with the Netegrity Policy Server.

• Netegrity conforms to SOAP messages, WSDL, SAML and XML Digital Signatures standards.


Forum Sentry™ Web Services Security Suite

• Enables trusted information sharing using XML data and Web services across different security domains and business processes.

• Forum Sentry supports the implementation of secure service-oriented architectures and event-driven applications.

• Conforms to XML Digital Signature, XML Encryption, WS-Encryption, WS-Digital Signatures, WSDL 1.1/1.2, WS-Security, SAML, XKMS and WS-I Basic Profile standards.


Microsoft Trust Bridge

• Microsoft Trust Bridge technology will allow different organizations using the Windows operating system to exchange user identities and interoperate in heterogeneous environments.

• Using industry standard XML Web services protocols including Kerberos, WS-Security and forthcoming protocols in WS-Policy and the WS-Security family.

• Federated identity management makes it easier for businesses to interact with customer, partners and suppliers, thus increasing communication amongst stakeholders.


BEA - BEA WebLogic Enterprise Security

• BEA WebLogic Enterprise Security provides access control to applications based on policies.

• Includes policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.

• Conforms to the SAML and WSDL 1.1 standard.


Security StandardsStandards IBM IONA BEA XTRADYNE NETEGRITY FORUM

MicrosoftTrust Bridge

XML Encryption X X X

XML Signature X X X

SAML X X X X X X X

WS-Security X X X X

WS- Encryption X X X X X

WS-Reliabilty X

WS-TRUST X X

WS-Federation X X

WSDL X X


Security FeaturesFunctionalities IBM IONA BEA XTRADYNE NETEGRITY FORUM

MicrosoftTrust Bridge

XML schema validation X X

Web services access control X X X X X X X

User Authentication X X X X X X X

Audit X X X X X

Alerts X X

Standards validation

Virus scanning X X X

Integrity checks X X X

SSO X X X


Web Service Tools

• GlassFish

• Eclipse Web Tools Platform (WTP)

• MissionKit

• Stylus Studio®


GlassFish• GlassFish is an open source application server which implements some new features in the Java EE 5

platform. • The Java EE 5 platform includes the latest versions of technologies such as:

JavaServer Pages(JSP)2.1– JavaServer Faces(JSF) 1.2– Servlet 2.4– EnterpriseJavaBeans 3.0– Java API for Web Services (JAX-WS) 2.0– Java Architecture for XML Binding – (JAXB) 2.0, – Web Services Metadata for the Java Platform 1.0.


Eclipse Web Tools Platform (WTP)

• Eclipse web tools platform project extends the Eclipse platform with tools for developing web services and Java EE applications.

• It includes source and graphical editors for a variety of languages, wizards and built-in applications.

• Includes tools and APIs to support deploying, running, and testing web applications.


MissionKit

• The Altova MissionKit for XML Developers is designed for XML and software developers, it includes XML data integration, and style sheet design capabilities.

• MissionKit supports:– XML, XSD, XSLT, and XQuery development– WSDL and SOAP Web services development– XML, database, flat file, EDI, and Web services data

mapping / conversion– Graphical Web services creation– XML-aware file and directory differencing/merging– Advanced XML Schema management– Semantic Web development


Stylus Studio®• Stylus Studio® 2008 XML Enterprise Suite provides a set of XML

tools and features for working with XML, XQuery, web services, XML publishing, and other XML technologies.

• Stylus Studio includes the following features:

– Apache Axis: Stylus Studio® uses Apache Axis to query web services for exploring, to retrieve data through web services, and to generate code for web services. Additionally, using the support of the XML converters, web services through Axis can be built into your own applications, called and executed through XSLT and/or XQuery, and used in XML pipelines and XML reports.

– Integrating Web Services using XQuery : Web services provide process abstraction while XQuery provides a flexible means for data abstraction.

– Web Service Data Mapping :Stylus Studio® allows you to use web services as XML data sources to be used in live XML mapping projects.


Mashups

• A mashup is a web application that combines data from more than one source into a single integrated tool.

• These are being used more in web services to deliver a richer and more interactive experience to users.

• The following are a few editors that are used to create mashups:– Google Mashup Editor – Openkapow – Microsoft Popfly Mashup Editor


Google Mashup Editor

• Google Mashup Editor is an AJAX development framework and a set of tools that enable developers to quickly and easily create simple web applications and mashups with Google services like Google Maps and Google Base.


Openkapow

• Openkapow is an open service platform which all you to build your own services (called robots) and deploy them.

• The robots accesses web sites and allows the use of data, functionality and even the user interface of other web sites.


Microsoft Popfly Mashup Editor

• Microsoft Popfly Mashup Editor is a tool for creating and sharing mashups built on Silverlight technology.

• In addition to its tools for developers, Popfly is offering some consumer-facing applications that allow users to create web pages and build custom widgets to their blogs and social networking profiles.


Web Service Patterns

• XACML Authorization– Enables an organization to represent authorization

rules in a standard manner.• XACML Access Control Evaluation

– This pattern decides if a request is authorized to access a resource according to policies defined by the XACML Authorization pattern.

• WSPL– Enables an organization to represent access control

policies for its web services in a standard manner.– It also enables a web services consumer to express

its requirements in a standard manner.


Patterns• Enumerate existing patterns to define or build on existing ones.• These patterns are for Security only


Conclusion

• Many of the web service products and tools discussed only conform to a few of the web services standards.

• It is difficult to select the right web services product or tool.

• Many companies do not explicitly state the features and standards which are supported by their products or tools.It is time consuming to acquire the standards that a tool or product conforms to.

• Many products are not compliant with the WS-Reliability standard and many tools do not implement it.


Conclusion….• Patterns are used to solve recurrent general problems in a

given context, they are flexible in how they can be used in different products and tools of varying purposes.

• A possible solution in overcoming this problem is using web service patterns in the implementation and design of web services products and tools.

• More web service patterns could be written to conform to a combination of web service industry standards

• Easier for customers to make informed decisions regarding a particular tool based on the web service patterns it implements.


Conclusion

• A pattern can be specialized or generalized to suit the need of a product or tool.

• Create composite web service patterns which can be used to implement many web service standards.

• Web service products can be implemented using such composite patterns.

• Easier for web services developers to implement them into web service products and tools which could streamline the integration of more web service standards into web service products and tools

Secure Systems Research Group - FAU 1 Web Services Products and Tools Ingrid Buckley Dept. of Computer Science and Engineering Florida Atlantic University.

Documents

web services products

development of web services

web apis

web service standards

requested services

ws security

security features

iona artix artix