* Uncovers the steps software architects and developers will need to take in order to plan and build a real-world, secure Web services system * Authors are leading security experts involved in developing the standards for XML and Web services security * Focuses on XML-based security and presents code examples based on popular EJB and .NET application servers * Explains how to handle difficult-to-solve problems such as passing user credentials and controlling delegation of those credentials across multiple applications * Companion Web site includes the source code from the book as well as additional examples and product information @Team LiB......Page 0 Mastering Web Services Security......Page 2 Cover......Page 1 Copyright......Page 3 Acknowledgments......Page 6 Foreword......Page 8 Contents......Page 12 Introduction......Page 20 Overview of the Book and Technology......Page 22 How This Book Is Organized......Page 23 Who Should Read This Book......Page 26 Summary......Page 27 CHAPTER 1 Overview of Web Services Security......Page 28 Web Services Overview......Page 29 Web Services Architecture......Page 30 Security as an Enabler for Web Services Applications......Page 31 New Security Responsibilities......Page 32 Risk Management Holds the Key......Page 33 Information Security: A Proven Concern......Page 34 Securing Web Services......Page 35 Web Services Security Requirements......Page 36 Providing Security for Web Services......Page 37 Unifying Web Services Security......Page 39 EASI Requirements......Page 40 EASI Solutions......Page 41 EASI Framework......Page 42 EASI Benefits......Page 45 Business Scenario......Page 46 Scenario Security Requirements......Page 49 Summary......Page 50 Distributed Computing......Page 52 Distributed Processing across the Web......Page 54 Web Services Pros and Cons......Page 56 Extensible Markup Language......Page 57 Supporting Concepts......Page 59 SOAP......Page 63 SOAP Message Processing......Page 64 Message Format......Page 66 SOAP Features......Page 71 SOAP Usage Scenarios......Page 72 Universal Description Discovery and Integration......Page 73 WSDL......Page 75 Other Activities......Page 77 Other Standards......Page 78 Summary......Page 79 CHAPTER 3 Getting Started with Web Services Security......Page 80 Security Fundamentals......Page 81 Cryptography......Page 83 Authentication......Page 85 Authorization......Page 90 Walk- Through of a Simple Example......Page 91 Example Description......Page 92 Security Features......Page 93 Limitations......Page 94 Summary......Page 97 Public Key Algorithms......Page 100 Encryption......Page 101 Digital Signatures......Page 105 Public Key Certificates......Page 107 Certificate Format......Page 109 Public Key Infrastructure......Page 110 XML Encryption......Page 112 XML Signature......Page 115 WS- Security......Page 122 Functionality......Page 123 Example......Page 124 Summary......Page 125 CHAPTER 5 Security Assertion Markup Language......Page 126 What Is SAML?......Page 127 How SAML Is Used......Page 128 the SAML Specification......Page 131 Security Problems Solved by SAML......Page 132 A First Detailed Look at SAML......Page 134 Common Portion of an Assertion......Page 136 Statements......Page 139 SAML Protocols......Page 143 SAML Request......Page 144 SAML Response......Page 148 Profiles......Page 149 Shibboleth......Page 154 Privacy......Page 155 Single Sign- on......Page 156 WS- Security......Page 157 Summary......Page 158 Web Services Example......Page 160 Authentication Requirements......Page 162 Options for Authentication in Web Services......Page 164 System Characteristics......Page 168 Authentication for ePortal and eBusiness......Page 170 Data Protection Requirements......Page 172 Options for Data Protection in Web Services......Page 173 System Characteristics......Page 174 Authorization Requirements......Page 177 Options for Authorization in Web Services......Page 180 System Characteristics......Page 181 eBusiness Authorization......Page 182 Summary......Page 183 CHAPTER 7 Security of Infrastructures for Web Services......Page 184 Security and the Client/ Server Paradigm......Page 185 Security and the Object Paradigm......Page 187 What All Middleware Security Is About......Page 188 TSS, and Secure Channel......Page 190 How Middleware Systems Implement Security......Page 191 Distributed Security Administration......Page 201 Enforcing Fine- Grained Security......Page 202 CORBA......Page 203 How CORBA Works......Page 204 TSS, and Secure Channel......Page 206 Implementation of Security Functions......Page 209 Administration......Page 213 Enforcing Fine- Grained Security......Page 214 How COM+ Works......Page 215 TSS, and Secure Channel......Page 219 Implementation of Security Functions......Page 220 Administration......Page 222 Enforcing Fine- Grained Security......Page 223 .NET Framework......Page 224 How .NET Works......Page 226 .NET Security......Page 230 J2EE......Page 234 How EJB Works......Page 235 TSS, and Secure Channel......Page 237 Implementation of Security functions......Page 239 Administration......Page 240 Enforcing Fine- Grained Security......Page 243 Summary......Page 244 IIS Security Mechanisms......Page 246 Authentication......Page 247 Protecting Data in Transit......Page 248 Logging......Page 249 Creating Web Services with Microsoft Technologies......Page 251 Creating Web Services out of COM+ Components......Page 252 Components Using SOAP Toolkit......Page 253 Creating Web Services with .NET Remoting......Page 255 Creating Web Services Using ASP. NET......Page 256 Implementing Access to eBusiness with ASP.NET Web Services......Page 260 Authentication......Page 262 Data Protection......Page 270 Access Control......Page 271 Audit......Page 278 Securing Access to eBusiness......Page 283 Summary......Page 284 CHAPTER 9 Securing Java Web Services......Page 286 Using Java with Web Services......Page 287 Traditional Java Security Contrasted with Web Services Security......Page 288 Data Protection......Page 289 How SAML Is Used with Java......Page 290 JSR Compliance......Page 292 Authentication......Page 293 Java Tools Available for Web Services......Page 294 Sun FORTE and JWSDP......Page 295 IBM WebSphere and Web Services Toolkit......Page 296 Systinet WASP......Page 297 Example Using WASP......Page 298 Example Using JWSDP......Page 307 Summary......Page 311 CHAPTER 10 Interoperability of Web Services Security Technologies......Page 314 The Security Interoperability Problem......Page 315 Between Security Tiers......Page 316 Layered Security......Page 317 Perimeter Security......Page 318 Mid- Tier......Page 321 Authentication......Page 324 Security Attributes......Page 325 Authorization......Page 327 Maintaining the Security Context......Page 328 Handling Delegation in Web Services......Page 329 Client Use of EASI......Page 332 Securing the Example......Page 334 Framework Authentication......Page 335 Framework Authorization......Page 337 Example Using JWSDP......Page 338 What Problems Should an EASI Framework Solve?......Page 344 Making Third- Party Security Products Work Together......Page 345 Federation......Page 346 Liberty Alliance......Page 347 Summary......Page 349 Introducing Security Administration......Page 352 The Security Administration Problem......Page 353 Administering Access Control and Related Policies......Page 354 Using Attributes Wisely......Page 355 Taking Advantage of Role- Based Access Control......Page 356 Delegation......Page 368 Authentication Administration......Page 370 How Rich Does Security Policy Need to Be?......Page 371 Administering Data Protection......Page 372 Administration Play Well Together......Page 373 Summary......Page 374 CHAPTER 12 Planning and Building a Secure Web Services Architecture......Page 376 Security Must Be In Place......Page 377 What Is Security?......Page 378 Building Trustworthy Systems......Page 379 Security Evolution-Losing Control......Page 381 EASI Principles for Web Services......Page 382 Security Architecture Principles......Page 383 Security Policy Principles......Page 384 Determining Requirements......Page 385 ePortal Security Requirements......Page 387 eBusiness Security Requirements......Page 389 Nonfunctional Requirements......Page 391 Overview of ePortal and eBusiness Security Architectures......Page 393 Applying EASI......Page 396 ePortal EASI Framework......Page 397 Addressing ePortal Requirements......Page 399 eBusiness EASI Framework......Page 402 Addressing eBusiness Requirements......Page 405 Deploying Security......Page 408 Perimeter Security......Page 409 Mid- Tier Security......Page 411 Back- Office Security......Page 412 Self- Administration......Page 413 Large- Scale Administration......Page 414 Storing Security Policy Data......Page 415 Security Gotchas at the System Architecture Level......Page 418 Performance......Page 419 Summary......Page 420 Glossary......Page 422 References......Page 442 A......Page 450 C......Page 452 D......Page 453 E......Page 454 I......Page 456 J......Page 457 N......Page 458 P......Page 459 S......Page 460 W......Page 462 X......Page 463
quickly Learn How To Build A Secure Web Services System Using Available Programming Tools, Models, And Specifications
web Services Promise To Simplify Business Programming And To Improve Interoperability, But They Won't Deliver On These Promises Without Effective Security. Written By The Leading Security Experts In The Field, This Innovative Book Clearly Shows How To Build A Real-world, Secure Web Services System. Using Theory, Examples, And Practical Advice, The Authors Examine Each Of The Security Technologies Used For Providing Secure Web Services, Emphasizing How Security Works With Xml And Soap. And With The Help Of Two Case Studies, You'll Also Learn How To Effectively Plan And Deploy A Secure Web Services System For Both J2ee And .net.
this Book Will Show You How To Build A Secure Web Services System Today And Anticipate The Security Systems Of Tomorrow. The Authors:
* Discuss The Measures That Can Be Used To Secure Xml And Soap Messages
* Demonstrate Ways To Analyze And Address Web Services Security Needs
* Describe Ws-security And Saml, New Security Specifications That Are Directed At Securing User Data And Credentials Using Xml
* Cover The Different Ways To Create A Secure .net Web Service
* Explain How To Secure Web Services When The Target Web Service Is A J2ee Application Server
the Companion Web Site Contains
* The Complete Source Code From The Book
* Additional Examples And Product Information
"Mastering Web Services Security" begins with an overview of Web services technologies, including XML, SOAP, UDDI, and WSDL. The authors next describe the security building blocks for creating a Web services security architecture