Introduction
Overview of the Book and Technology
How This Book Is Organized
Who Should Read This Book
What's on the Web Site
Summary
Chapter 1 Overview of Web Services Security
Web Services Overview
Characteristics of Web Services
Web Services Architecture
Security as an Enabler for Web Services Applications
Information Security Goals: Enable Use, Bar Intrusion
Web Services Solutions Create New Security Responsibilities
Risk Management Holds the Key
Information Security: A Proven Concern
Securing Web Services
Web Services Security Requirements
Providing Security for Web Services
Unifying Web Services Security
EASI Requirements
EASI Solutions
EASI Framework
Applications
APIs
Core Security Services
Framework Security Facilities
Security Products
EASI Benefits
Example of a Secure Web Services Architecture
Business Scenario
Web Services Interfaces
Scenario Security Requirements
Summary
Chapter 2 Web
Services
Distributed Computing
Distributed Processing across the Web
Web Services Pros and Cons
Extensible Markup Language
Supporting Concepts
Uniform Resource Identifiers
Namespaces
XML Schema
SOAP
SOAP Message Processing
Processing order
Open items
Message Format
SOAP Message Header
Role
MustUnderstand
SOAP Message Body
Request message body elements
Response message body elements
SOAP Features
HTTP Binding
SOAP Usage Scenarios
Universal Description Discovery and Integration
WSDL
Other Activities
Other Standards
Summary
Chapter 3 Getting Started with Web Services Security
Security Fundamentals
Cryptography
Secret Key Cryptography
Public Key Cryptography
Authentication
Categories of Authentication
Password Authentication
Challenge-response Authentication
Cryptographic Protocols
SSL/TLS Protocol
Kerberos/DCE Protocol
Authentication Systems
Authorization
Walk-Through of a Simple Example
Example Description
Security Features
Cryptography
Authentication
Authorization
Limitations
Cryptography
Authentication
Authorization
Summary
Chapter 4 XML Security and WS-Security
Public Key Algorithms
Encryption
RSA
Diffie-Hellman, Elliptic Curve Diffie-Hellman
Digital Signatures
Message Digests
RSA
DSA
Public Key Certificates
Certificate Format
Public Key Infrastructure
XML Security
XML Encryption
Format/Structure
Procedure
Example
Issues
XML Signature
Format/Structure
Transformations
Xpath/XPointer
XML Canonicalization
XML Decryption Transform for Signature
Signature Creation/Verification Process
Example
Issues
WS-Security
Functionality
Security Element
Structure
Example
Summary
Chapter 5 Security Assertion Markup Language
OASIS
What Is SAML?
How SAML Is Used
XML Basis
Scope of SAML
Emphasis on Web SSO
The Rational for Understanding the SAML Specification
Why Open Standards Like SAML Are Needed
Security Problems Solved by SAML
Single Sign-On
A First Detailed Look at SAML
SAML Assertions
Common Portion of an Assertion
Statements
Authentication Statement
Attribute Statement
Authorization Statement
Assertion Example
SAML Protocols
SAML Request/Response
SAML Request
AuthenticationQuery
AttributeQuery
AuthorizationQuery
SAML Response
Bindings
SOAP Binding
Profiles
SAML Artifact
SAML Artifact Structure
Using the SAML Artifact
SAML POST
Shibboleth
Privacy
Federation
Single Sign-on
The Trust Relationship
Related Standards
XACML
WS-Security
Summary
Chapter 6 Principles of Securing Web Services
Web Services Example
Authentication
Authentication Requirements
Options for Authentication in Web Services
Connection-Oriented Authentication
Authentication Systems
Document-Oriented Authentication
Digital Signatures
Tokens
System Characteristics
Authentication for ePortal and eBusiness
Data Protection
Data Protection Requirements
Options for Data Protection In Web Services
System Characteristics
eBusiness Data Protection
Authorization
Authorization Requirements
Options for Authorization in Web Services
System Characteristics
eBusiness Authorization
Summary
Chapter 7 Security of Infrastructures for Web Services
Distributed Security Fundamentals
Security and the Client/Server Paradigm
Security and the Object Paradigm
What All Middleware Security Is About
Roles and Responsibilities of CSS, TSS, and Secure
Channel
How Middleware Systems Implement Security
Distributed Authentication
Authentication Protocols
Choosing an Authentication Protocol
Message Protection
Distributed Access Control
Distributed Audit
Distributed Delegation
Motivations for Using Delegation
Levels of Delegation
Distributed Security Administration
Enforcing Fine-Grained Security
CORBA
How CORBA Works
Declarative Part
Runtime Part
Wire Protocol
Object Reference
Roles and Responsibilities of CSS, TSS, and Secure
Channel
Common Secure Interoperability Version 2
Implementation of Security Functions
Authentication
Message Integrity and Confidentiality Protection
Access Control
Auditing
Delegation
Administration
Policy Objects and Administrative Interfaces
Policy Domains
Enforcing Fine-Grained Security
COM+
How COM+ Works
Declarative Part
Runtime Part
Wire Protocol
Roles and Responsibilities of CSS, TSS, and Secure
Channel
Implementation of Security Functions
Authentication
Message Integrity and Confidentiality Protection
Access Control
Audit
Delegation
Administration
Enforcing Fine-grained Security
NET Framework
How NET Works
Exposing NET Objects as COM+ Components
Object Remoting
Securing Remoted Objects
NET Security
J2EE
How EJB Works
Declarative Part
Runtime Part
Roles and Responsibilities of CSS, TSS, and Secure
Channel
Client Security Service
Target Security Service
Secure Channel
Implementation of Security functions
Authentication
Access Control
Delegation
Administration
Access Control Policy
Delegation Policy
Enforcing Fine-Grained Security
Summary
Chapter 8 Securing NET Web Services
IIS Security Mechanisms
Authentication
Protecting Data in Transit
Access Control
Logging
Fault Isolation
Creating Web Services with NET
Creating Web Services out of COM+ Components
Creating Web Services out of COM Components Using SOAP
Toolkit
Creating Web Services with NET Remoting
Creating Web Services Using ASPNET
Implementing Access to eBusiness with ASPNET Web Services
ASPNET Web Services Security
Authentication
ASPNET Authentication Services
HTTP Modules
Custom Authentication with SOAP Headers
Data Protection
Access Control
Impersonation
Impersonation-Based Access Control Methods
Windows Access Control Lists
ASPNET URL Authorization
CLR’s Declarative Role-Based Access Control
CLR’s Imperative Role-Based Access Control
Auditing
Auditing Windows Files and IIS URLs
NET Log Classes
Securing Access to eBusiness
Summary
Chapter 9 Securing Java Web Services
Using Java with Web Services
Traditional Java Security Contrasted with Web Services
Security
Authenticating Clients in Java
Data Protection
Controlling Access
How SAML Is Used with Java
Assessing an Application Server for Web Service Compatibility
JSR Compliance
Authentication
Authorization
Java Tools Available for Web Services
Sun FORTE and JWSDP
FORTE
Java Web Services Developer Pack
IBM WebSphere and Web Services Toolkit
Systinet WASP
The Java Web Services Examples
Example Using WASP
StoreFront Client
StoreFront Service
Creating the WASP Proxy
Securing the WASP Example
Example Using JWSDP
StoreFront Client
StoreFront Service
Securing the JWSDP Example
Summary
Chapter 10 Interoperability of Web Services Security Technologies
The Security Interoperability Problem
Between Security Tiers
Layered Security
Perimeter Security
Mid-Tier
Security between Distributed Models
Interoperability Between Java and NET Platforms
Back-Office Tier
Interoperable Security Technologies
Authentication
Security Attributes
Authorization
Maintaining the Security Context
Handling Delegation in Web Services
Using a Security Framework
Client Use of EASI
Target Use of EASI
Securing the Example
Framework Authentication
Framework Attribute Handling
Framework Authorization
Example Using JWSDP
StoreFront Client
StoreFront Service
What Problems Should an EASI Framework Solve?
Web Services Support for EASI
Making Third-Party Security Products Work Together
Federation
Liberty Alliance
The Internet versus Intranets and Extranets
Summary
Chapter 11 Administrative Considerations for Web Services
Security
Introducing Security Administration
The Security Administration Problem
What about Web Services?
Administering Access Control and Related Policies
Using Attributes Wisely
Taking Advantage of Role-Based Access Control
Overview of RBAC
RBAC0: Just Roles
RBAC1: Role Hierarchies
RBAC2: Constraints
RBAC3: RBAC1 + RBAC2
Engineering Roles
RBAC Gotchas
Concluding Remarks on RBAC
Delegation
When and How to Use Delegation
General Recommendations
Risks of Delegation
Audit Administration
Authentication Administration
How Rich Does Security Policy Need to Be?
Administering Data Protection
Making Web Services Development and Security Administration
Play Well Together
Summary
Chapter 12 Planning and Building a Secure Web Services Architecture
Web Services Security: The Challenges
Security Must Be In Place
What’s So Tough About Security for Web Services?
What Is Security?
Building Trustworthy Systems
Security Evolution—Losing Control
Dealing with the “ilities”
EASI Principles for Web Services
Security Architecture Principles
Trust no one
Enable interoperability
Modularize security
Security Policy Principles
Determining Requirements
Functional Requirements
ePortal Security Requirements
Limit Visitor Access
Eliminate Administration of New Customers
Grant Members More Access
Secure Exchange with eBusiness
eBusiness Security Requirements
Secure Exchange with ePortal
Limit Visitor Access
Grant Members More Access
Protect the Accounts of Each Individual
Administrator Control of Critical Functions
Restrict Administrators’ Abilities
Nonfunctional Requirements
Manageability
Extensibility
Reliability
Availability
Scalability
Overview of ePortal and eBusiness Security Architectures
Applying EASI
ePortal EASI Framework
Application Components
Security APIs
Core Security Services
Framework Security Facilities
Addressing ePortal Requirements
Limit Visitor Access
Eliminate Administration of New Customers
Grant Members More Access
Secure Exchange with eBusiness
eBusiness EASI Framework
Application Components
Security APIs
Core Security Services
Framework Security Facilities
Addressing eBusiness Requirements
Secure Exchange with ePortal
Limit Visitor Access
Grant Members More Access
Protect the Accounts of Each Individual
Administrator Control of Critical Functions
Restrict Administrators Abilities
Deploying Security
Perimeter Security
Firewalls/VPNs
Intrusion Detection
Mid-Tier Security
Back-Office Security
Using a Security Policy Server
Self-Administration
Large-Scale Administration
Storing Security Policy Data
LDAP Directory Service
Relational or Object Databases
File Systems
Securing UDDI and WSDL
Security Gotchas at the System Architecture Level
Scaling
Performance
Summary
Glossary
References
