Title:
Mastering Web services security
Publication Information:
Indianapolis, Ind. : Wiley Technology Pub., 2003
ISBN:
9780471267164
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010058292 | QA76.9.A25 M374 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Uncovers the steps software architects and developers will need to take in order to plan and build a real-world, secure Web services system Authors are leading security experts involved in developing the standards for XML and Web services security Focuses on XML-based security and presents code examples based on popular EJB and .NET application servers Explains how to handle difficult-to-solve problems such as passing user credentials and controlling delegation of those credentials across multiple applications Companion Web site includes the source code from the book as well as additional examples and product information
Author Notes
BRET HARTMAN is Chief Technology Officer at Quadrasis, a business unit of Hitachi. He is a well-known expert on security of component systems.
DONALD J. FLINN is Chief security architect at Quadrasis and an active member of the SAML and WS-Security working groups at OASIS, which defines XML and Web services security.
KONSTANTIN BEZNOSOV, PhD, is a security architect at Quadrasis, specializing in the security design for distributed systems.
SHIRLEY KAWAMOTO is a principal security architect at Quadrasis, specializing in cryptography.
Table of Contents
| Acknowledgments | p. v |
| Foreword | p. vii |
| Introduction | p. xix |
| Chapter 1 Overview of Web Services Security | p. 1 |
| Web Services Overview | p. 2 |
| Characteristics of Web Services | p. 3 |
| Web Services Architecture | p. 3 |
| Security as an Enabler for Web Services Applications | p. 4 |
| Information Security Goals: Enable Use, Bar Intrusion | p. 5 |
| Web Services Solutions Create New Security Responsibilities | p. 5 |
| Risk Management Holds the Key | p. 6 |
| Information Security: A Proven Concern | p. 7 |
| Securing Web Services | p. 8 |
| Web Services Security Requirements | p. 9 |
| Providing Security for Web Services | p. 10 |
| Unifying Web Services Security | p. 12 |
| EASI Requirements | p. 13 |
| EASI Solutions | p. 14 |
| EASI Framework | p. 15 |
| EASI Benefits | p. 18 |
| Example of a Secure Web Services Architecture | p. 19 |
| Business Scenario | p. 19 |
| Scenario Security Requirements | p. 22 |
| Summary | p. 23 |
| Chapter 2 Web Services | p. 25 |
| Distributed Computing | p. 25 |
| Distributed Processing across the Web | p. 27 |
| Web Services Pros and Cons | p. 29 |
| Extensible Markup Language | p. 30 |
| Supporting Concepts | p. 32 |
| SOAP | p. 36 |
| SOAP Message Processing | p. 37 |
| Message Format | p. 39 |
| SOAP Features | p. 44 |
| HTTP Binding | p. 45 |
| SOAP Usage Scenarios | p. 45 |
| Universal Description Discovery and Integration | p. 46 |
| WSDL | p. 48 |
| Other Activities | p. 50 |
| Active Organizations | p. 51 |
| Other Standards | p. 51 |
| Summary | p. 52 |
| Chapter 3 Getting Started with Web Services Security | p. 53 |
| Security Fundamentals | p. 54 |
| Cryptography | p. 56 |
| Authentication | p. 58 |
| Authorization | p. 63 |
| Walk-Through of a Simple Example | p. 64 |
| Example Description | p. 65 |
| Security Features | p. 66 |
| Limitations | p. 67 |
| Summary | p. 70 |
| Chapter 4 XML Security and WS-Security | p. 73 |
| Public Key Algorithms | p. 73 |
| Encryption | p. 74 |
| Digital Signatures | p. 78 |
| Public Key Certificates | p. 80 |
| Certificate Format | p. 82 |
| Public Key Infrastructure | p. 83 |
| XML Security | p. 85 |
| XML Encryption | p. 85 |
| XML Signature | p. 88 |
| WS-Security | p. 95 |
| Functionality | p. 96 |
| Security Element | p. 97 |
| Structure | p. 97 |
| Example | p. 97 |
| Summary | p. 98 |
| Chapter 5 Security Assertion Markup Language | p. 99 |
| OASIS | p. 100 |
| What Is SAML? | p. 100 |
| How SAML Is Used | p. 101 |
| The Rationale for Understanding the SAML Specification | p. 104 |
| Why Open Standards Like SAML Are Needed | p. 105 |
| Security Problems Solved by SAML | p. 105 |
| A First Detailed Look at SAML | p. 107 |
| SAML Assertions | p. 109 |
| Common Portion of an Assertion | p. 109 |
| Statements | p. 112 |
| SAML Protocols | p. 116 |
| SAML Request/Response | p. 117 |
| SAML Request | p. 117 |
| SAML Response | p. 121 |
| Bindings | p. 122 |
| Profiles | p. 122 |
| Shibboleth | p. 127 |
| Privacy | p. 128 |
| Federation | p. 129 |
| Single Sign-on | p. 129 |
| The Trust Relationship | p. 130 |
| Related Standards | p. 130 |
| XACML | p. 130 |
| WS-Security | p. 130 |
| Summary | p. 131 |
| Chapter 6 Principles of Securing Web Services | p. 133 |
| Web Services Example | p. 133 |
| Authentication | p. 135 |
| Authentication Requirements | p. 135 |
| Options for Authentication in Web Services | p. 137 |
| System Characteristics | p. 141 |
| Authentication for ePortal and eBusiness | p. 143 |
| Data Protection | p. 145 |
| Data Protection Requirements | p. 145 |
| Options for Data Protection in Web Services | p. 146 |
| System Characteristics | p. 147 |
| eBusiness Data Protection | p. 150 |
| Authorization | p. 150 |
| Authorization Requirements | p. 150 |
| Options for Authorization in Web Services | p. 153 |
| System Characteristics | p. 154 |
| eBusiness Authorization | p. 155 |
| Summary | p. 156 |
| Chapter 7 Security of Infrastructures for Web Services | p. 157 |
| Distributed Security Fundamentals | p. 158 |
| Security and the Client/Server Paradigm | p. 158 |
| Security and the Object Paradigm | p. 160 |
| What All Middleware Security Is About | p. 161 |
| Roles and Responsibilities of CSS, TSS, and Secure Channel | p. 163 |
| How Middleware Systems Implement Security | p. 164 |
| Distributed Security Administration | p. 174 |
| Enforcing Fine-Grained Security | p. 175 |
| CORBA | p. 176 |
| How CORBA Works | p. 177 |
| Roles and Responsibilities of CSS, TSS, and Secure Channel | p. 179 |
| Implementation of Security Functions | p. 182 |
| Administration | p. 186 |
| Enforcing Fine-Grained Security | p. 187 |
| COM+ | p. 188 |
| How COM+ Works | p. 188 |
| Roles and Responsibilities of CSS, TSS, and Secure Channel | p. 192 |
| Implementation of Security Functions | p. 193 |
| Administration | p. 195 |
| Enforcing Fine-Grained Security | p. 196 |
| .NET Framework | p. 197 |
| How .NET Works | p. 199 |
| .NET Security | p. 203 |
| J2EE | p. 207 |
| How EJB Works | p. 208 |
| Roles and Responsibilities of CSS, TSS, and Secure Channel | p. 210 |
| Implementation of Security functions | p. 212 |
| Administration | p. 213 |
| Enforcing Fine-Grained Security | p. 216 |
| Summary | p. 217 |
| Chapter 8 Securing .NET Web Services | p. 219 |
| IIS Security Mechanisms | p. 219 |
| Authentication | p. 220 |
| Protecting Data in Transit | p. 221 |
| Access Control | p. 222 |
| Logging | p. 222 |
| Fault Isolation | p. 224 |
| Creating Web Services with Microsoft Technologies | p. 224 |
| Creating Web Services out of COM+ Components | p. 225 |
| Creating Web Services out of COM Components Using SOAP Toolkit | p. 226 |
| Creating Web Services with .NET Remoting | p. 228 |
| Creating Web Services Using ASP.NET | p. 229 |
| Implementing Access to eBusiness with ASP.NET Web Services | p. 233 |
| ASP.NET Web Services Security | p. 234 |
| Authentication | p. 235 |
| Data Protection | p. 243 |
| Access Control | p. 244 |
| Audit | p. 251 |
| Securing Access to eBusiness | p. 256 |
| Summary | p. 257 |
| Chapter 9 Securing Java Web Services | p. 259 |
| Using Java with Web Services | p. 260 |
| Traditional Java Security Contrasted with Web Services Security | p. 261 |
| Authenticating Clients in Java | p. 262 |
| Data Protection | p. 262 |
| Controlling Access | p. 263 |
| How SAML Is Used with Java | p. 263 |
| Assessing an Application Server for Web Service Compatibility | p. 265 |
| JSR Compliance | p. 265 |
| Authentication | p. 266 |
| Authorization | p. 267 |
| Java Tools Available for Web Services | p. 267 |
| Sun FORTE and JWSDP | p. 268 |
| IBM WebSphere and Web Services Toolkit | p. 269 |
| Systinet WASP | p. 270 |
| The Java Web Services Examples | p. 271 |
| Example Using WASP | p. 271 |
| Example Using JWSDP | p. 280 |
| Summary | p. 284 |
| Chapter 10 Interoperability of Web Services Security Technologies | p. 287 |
| The Security Interoperability Problem | p. 288 |
| Between Security Tiers | p. 289 |
| Layered Security | p. 290 |
| Perimeter Security | p. 291 |
| Mid-Tier | p. 294 |
| Back-Office Tier | p. 297 |
| Interoperable Security Technologies | p. 297 |
| Authentication | p. 297 |
| Security Attributes | p. 298 |
| Authorization | p. 300 |
| Maintaining the Security Context | p. 301 |
| Handling Delegation in Web Services | p. 302 |
| Using a Security Framework | p. 305 |
| Client Use of EASI | p. 305 |
| Target Use of EASI | p. 307 |
| Securing the Example | p. 307 |
| Framework Authentication | p. 308 |
| Framework Attribute Handling | p. 310 |
| Framework Authorization | p. 310 |
| Example Using JWSDP | p. 311 |
| What Problems Should an EASI Framework Solve? | p. 317 |
| Web Services Support for EASI | p. 318 |
| Making Third-Party Security Products Work Together | p. 318 |
| Federation | p. 319 |
| Liberty Alliance | p. 320 |
| The Internet versus Intranets and Extranets | p. 322 |
| Summary | p. 322 |
| Chapter 11 Administrative Considerations for Web Services Security | p. 325 |
| Introducing Security Administration | p. 325 |
| The Security Administration Problem | p. 326 |
| What about Web Services? | p. 327 |
| Administering Access Control and Related Policies | p. 327 |
| Using Attributes Wisely | p. 328 |
| Taking Advantage of Role-Based Access Control | p. 329 |
| Delegation | p. 341 |
| Audit Administration | p. 343 |
| Authentication Administration | p. 343 |
| How Rich Does Security Policy Need to Be? | p. 344 |
| Administering Data Protection | p. 345 |
| Making Web Services Development and Security Administration Play Well Together | p. 346 |
| Summary | p. 347 |
| Chapter 12 Planning and Building a Secure Web Services Architecture | p. 349 |
| Web Services Security: The Challenges | p. 350 |
| Security Must Be In Place | p. 350 |
| What's So Tough About Security for Web Services? | p. 351 |
| What Is Security? | p. 351 |
| Building Trustworthy Systems | p. 352 |
| Security Evolution--Losing Control | p. 354 |
| Dealing with the "ilities" | p. 355 |
| EASI Principles for Web Services | p. 355 |
| Security Architecture Principles | p. 356 |
| Security Policy Principles | p. 357 |
| Determining Requirements | p. 358 |
| Functional Requirements | p. 360 |
| ePortal Security Requirements | p. 360 |
| eBusiness Security Requirements | p. 362 |
| Nonfunctional Requirements | p. 364 |
| Overview of ePortal and eBusiness Security Architectures | p. 366 |
| Applying EASI | p. 369 |
| ePortal EASI Framework | p. 370 |
| Addressing ePortal Requirements | p. 372 |
| eBusiness EASI Framework | p. 375 |
| Addressing eBusiness Requirements | p. 378 |
| Deploying Security | p. 381 |
| Perimeter Security | p. 382 |
| Mid-Tier Security | p. 384 |
| Back-Office Security | p. 385 |
| Using a Security Policy Server | p. 386 |
| Self-Administration | p. 386 |
| Large-Scale Administration | p. 387 |
| Storing Security Policy Data | p. 388 |
| Securing UDDI and WSDL | p. 391 |
| Security Gotchas at the System Architecture Level | p. 391 |
| Scaling | p. 392 |
| Performance | p. 392 |
| Summary | p. 393 |
| Glossary | p. 395 |
| References | p. 415 |
| Index | p. 423 |
