Securing Web Services with WS-Security

About the Authors Jonathan "Jothy" Rosenberg, Ph.D., Founder, CTO, and CEO, Service Integrity Dr. Jothy Rosenberg is a serial entrepreneur. He is a founder, Director, CTO, and CEO of Service Integrity, a company providing XML Web services monitoring and analysis products for end-to-end real-time enterprise visibility including security and compliance visibility or "early warning." Prior to Service Integrity, Jothy co-founded GeoTrust, the world's second largest certificate authority and a major innovator in enterprise-managed security solutions. As the company's COO and CTO, Jothy led the company's product development initiatives, developing patents on a series of ground-breaking security products and deploying a secure Web service integrating GeoTrust's reseller partners into the SSL provisioning process. Previous to GeoTrust, Jothy served as CEO and CTO of Factpoint, Inc., a pioneer in the area of content certification and content management. With his Service Integrity co-founders, he also co-founded Webspective, which was later sold to Inktomi. Before these multiple ventures, Jothy held various executive positions at Borland International where he was General Manager of the Enterprise Tools Division and overall Development VP for Languages, including Delphi, C++, and JBuilder products. Jothy holds a B.A. in Mathematics from Kalamazoo College and a Ph.D. in Computer Science on VLSI Design algorithms from Duke University. He is also the author of How Debuggers Work. Jothy holds patents on debugger watchpoint mechanisms, content certification and site identity assurance, as well as a pending security compliance monitoring patent. David L. Remy, CISSP, Director of Product Engineering for Security, Web Services and XML on WebLogic Workshop, BEA David Remy works at BEA Systems, Inc., where he is a Director of Product Engineering responsible for security, Web services, and XML for BEA's WebLogic Workshop product line. Prior to working with BEA, David was founder and Chief Architect for GeoTrust, Inc., a security company and now the second largest certificate authority in the world. David has worked in the software industry for more than 16 years, holding such positions as Chief Technology Officer at Netstock, Director of Technology at Corbis, Director of Architecture at PEMCO Financial, Advisory Systems Engineer at IBM, and several other contracting and software development roles.

Forewords.


Introduction.


Who This Book Is For. About This Book. How This Book Is Organized.



1. Basic Concepts of Web Services Security.


Web Services Basics: XML, SOAP, and WSDL. Application Integration. Security Basics. Web Services Security Basics. Summary.



2. The Foundations of Web Services.


The Gestalt of Web Services. XML: Meta-Language for Data-Oriented Interchange. SOAP: XML Messaging and Remote Application Access. WSDL: Schema for XML/SOAP Objects and Interfaces. UDDI: Publishing and Discovering Web Services. ebXML and RosettaNet: Alternative Technologies for Web Services. The Web Services Security Specifications. Summary.



3. The Foundations of Distributed Message-Level Security.


The Challenges of Information Security for Web Services. Shared Key Technologies. Public Key Technologies. Summary.



4. Safeguarding the Identity and Integrity of XML Messages.


Introduction To and Motivation for XML Signature. XML Signature Fundamentals. XML Signature Structure. XML Signature Processing. The XML Signature Elements. Security Strategies for XML Signature. Summary.



5. Ensuring Confidentiality of XML Messages.


Introduction to and Motivation for XML Encryption. XML Encryption Fundamentals. XML Encryption Structure. XML Encryption Processing. Using XML Encryption and XML Signature Together. Summary.



6. Portable Identity, Authentication, and Authorization.


Introduction to and Motivation for SAML. How SAML Works. Using SAML with WS-Security. Applying SAML: Project Liberty. Summary.



7. Building Security into SOAP.


Introduction to and Motivation for WS-Security. Extending SOAP with Security. Security Tokens in WS-Security. Providing Confidentiality: XML Encryption in WS-Security. Providing Integrity: XML Signature in WS-Security. Message Time Stamps. Summary.



8. Communicating Security Policy.


WS-Policy. The WS-Policy Framework. WS-SecurityPolicy. Summary.



9. Trust, Access Control, and Rights for Web Services.


The WS-* Family of Security Specifications. XML Key Management Specification (XKMS). eXtensible Access Control Markup Language (XACML) Specification. eXtensible Rights Markup Language (XrML) Management Specification. Summary.



10. Building a Secure Web Service Using BEA's WebLogic Workshop.


Security Layer Walkthrough. WebLogic Workshop Web Service Walkthrough. Summary.



Appendix A. Security, Cryptography, and Protocol Background Material.


The SSL Protocol. Testing for Primality. RSA Cryptography. DSA Digital Signature Algorithms. Block Cipher Processing. DES Encryption Algorithm. AES Encryption Algorithm. Hashing Details and Requirements. SHA1. Silvio Micali's Fast Validation/Revocation. Canonicalization of Messages for Digital Signature Manifests. Base-64 Encoding. PGP.



Glossary.


Index.