1 / 46

Web Service and Security

Web Service and Security. Lilly Wang. Agenda. Brief introduction to web service Web service security Wireless web service. Software Evolution. Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system.

luigi
Télécharger la présentation

Web Service and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Service and Security Lilly Wang

  2. Agenda Brief introduction to web service Web service security Wireless web service

  3. Software Evolution Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system

  4. Web Service Basics

  5. What is web service? Self contained Self described (WSDL) Interoperable standard interfaces Dynamically discovered (UDDI)

  6. Web Service Characteristics Openly accessible over Internet Use XML messages for communication Loosely-coupled architecture Involve one or more intermediaries Heterogeneous in implementation technologies

  7. Business Point of View Registry find publish Requestor Provider bind

  8. Developer’s Point of View How to achieve interoperability How to transport data How to achieve high performance Web service can be any piece of software that makes itself available over the Internet using standardized web service messaging system and interface

  9. Architecture UDDI Registry WSDL WSDL Requestor Provider SOAP

  10. SOAP Simple Object Access Protocol Original used for RPC High-level protocol that defines only the message structure and a few simple rules for message processing Data packed inside SOAP message for transporting over the network http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

  11. WSDL Web Service Description Language Service description component A specification for describing a service provided or searching http://www.w3.org/TR/2001/NOTE-wsdl-20010315

  12. UDDI Universal Description Discovery Integration A technical spec for business registry Data stored in standardized XML format APIs for searching UDDI Business Registry is a fully operational implementation of the UDDI spec http://www.oreillynet.com/lpt/a//webservices/2002/02/12/webservicefaqs.html

  13. Types of Web services Remote Procedure Call (RPC) type Call parameters and return values are serialized in SOAP messages. Data types are supported by XML schema. Document messaging (DOC) type Operate in asynchronous mode. Similar to mailing lists robots. Good for mobile.

  14. Web Service Security

  15. Security Basics Authentication Access Control Authorization Data Integrity Non-repudiation

  16. Basic Security Mechanism Symmetric/Asymmetric Key Encryption Message Digest Message Authentication Codes (MAC) Digital Signature Digital Certificate

  17. Web Service Security Technologies X.509 Certificate (RFC 2585) SSL/TLS (RFC 2246) Kerberos Tickets (RFC 1510) XML Signature (http://www.xml.com/pub/a/2001/08/08/xmldsig.html) XML Encryption (http://www.aleksey.com/xmlsec/) XML-based security token (SAML format ) (http://www.aleksey.com/xmlsc/)

  18. Web Service Security Challenges SOAP messages can be sent using different transport applications or protocols There could be legitimate intermediaries that might need to access a part or whole of SOAP messages

  19. Point-to-Point Security Security Context Security Context Requester Intermediary Web Service

  20. End-to-End Security Security Context Requester Intermediary Web Service

  21. Proposed Security Specification Initial Specifications WS-Security WS-Policy WS-Trust WS-Privacy Follow-on Specifications WS-SecureConversation WS-Federation WS-Authorization

  22. WS-Security is the foundation for all of the other specs provides end-to-end message-level security for SOAP messages defines a SOAP Header element to carry security-related data SecurityToken defined under <Security> tag, containing <UsenameToken> and <BinarySecurityToken>

  23. WS-Security Message integrity is provided by XML Signature and security tokens Message confidentiality is provided by XML Encryption with security tokens

  24. WS-Security

  25. WS-Policy Specify how senders and receivers agree on the security requirements and capabilities <SecurityToken> - what type, which issuer <Integrity> - options for digital signature <Confidentiality> - options for encryption algorithm <Visibility> - Which portion of the message must be unencrypted

  26. WS-Trust The model for establishing both direct and brokered trust relationship Defines a way to use SOAP to talk to a KDC, CA or any other security token service center Use <RequestSecurityToken> and <RequestSecurityTokenResponse> elements

  27. WS-Privacy – defines the privacy policies, such as ACL and delegation WS-SecureConversation – defines XML types and interactions that allows a the establishment of a security context and the creation of keys that are specific to that context

  28. WS-Federation – defines how to construct federated trust among different securitytoken service centers WS-Authorization – describes how access policies for a web service are specified and managed

  29. Where are we now ?

  30. Wireless Web Service

  31. SOAP Light-weighted protocol Exchange structured information in a decentralized, distributed environment Use XML as message framework Interoperable among different system

  32. SOAP

  33. Why SOAP ? Provide rich data types (more than 40) Support various messaging schemes Bind with other protocols/standards

  34. Java APIs for XML Document-oriented JAXP JAXB Procedure-oriented JAX-RPC JAXM JAXR

  35. JAXP Java APIs for XML Processing XML Parser Support XSLT Include SAX Parser (event-based parser) DOM Parser (tree-based)

  36. JAXB Java Architecture for XML Binding Provide mapping between XML documents and Java objects Based on XML Schema/DTD to build Java Object

  37. JAXP vs JAXB Use JAXB when • Access data in memory, but do not need tree manipulation capabilities • Process only data that is valid • Convert data to different types • Generate classes based on a DTD • Build object representations of XML data.

  38. JAXP vs JAXB Use JAXP when • Have flexibility with regard to the way you access the data: either serially with SAX or randomly in memory with DOM • Use your same processing code with documents based on different DTDs • Parse documents that are not necessarily valid • Apply XSLT transforms • Insert or remove objects from an object tree that represents XML data

  39. JAXM Java API for XML Messaging SAAJ (SOAP with Attachments API for Java) 1.1 is the javax.xml.soap package for creating SOAP messages, adding message content, and extracting message content. JAXM 1.1 is the javax.xml.messaging package for using a messaging provider and to send one-way messages. It is always used in conjunction with the SAAJ 1.1 API.

  40. JAXR JavaTM API for XML Registries provides a convenient way to access standard business registries over the Internet.

  41. JAX-RPC Java™ API for XML-based RPC Is a collection of procedures that can be called by a remote client over the Internet Supports SOAP 1.2 and WSDL

  42. What you need for J2ME Web Service ? Server Side Apache Axis ( for SOAP parsing) Web Service tool kit ( e.e WSDK) Client Side kSOAP / JSR 172 Wireless Toolkit

  43. kSOAP A parser based on kXML kSOAP 1.2 supports SOAP 1.2

  44. JSR 172 Provide subset of JAXP Provide subset of JAX-RPC Will be released on summer, 2003

  45. Wireless Web Service Security ? Just start Simple XML digital signature can be done Need to use third-party APIs

  46. Reference [1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823-wireless.html [2]http://www106.ibm.com/developerworks/webservices/library/ws-sec1.html?dwzone=webservices [3]http://www106.ibm.com/developerworks/webservices/library ws-secroad/?dwzone=webservices [4] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp

More Related