Web Service Standards, Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Service Standards, Security

  1. 1. Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com
  2. 2. Agenda <ul><li>Web Services Standards </li></ul><ul><ul><li>OASIS </li></ul></ul><ul><ul><li>WS-I </li></ul></ul><ul><li>Web Service Security </li></ul><ul><li>Web Service Management </li></ul><ul><li>Future Enterprise SOA trends </li></ul><ul><ul><li>Web 2.0, Ajax, SaaS </li></ul></ul>
  3. 3. Where are we heading?
  4. 4. Web Services Standards <ul><li>SOA Demo 1 – Real World SOA </li></ul><ul><li>Many Vendors </li></ul><ul><ul><li>IBM </li></ul></ul><ul><ul><li>SUN </li></ul></ul><ul><ul><li>Microsoft </li></ul></ul><ul><ul><li>BEA etc.. </li></ul></ul><ul><li>How do they communicate with each other? </li></ul><ul><li>Standards!! </li></ul>
  5. 5. Web Services Standards <ul><li>Tale of “many vendors” </li></ul><ul><ul><li>Do “it our way” – or else we can not assist you! </li></ul></ul><ul><li>IBM, Sun & Microsoft was instrumental in creating the first drafts. </li></ul><ul><li>Who owns the standards? </li></ul><ul><li>OASIS - Organization for the Advancement of Structured Information Standards . </li></ul>
  6. 6. OASIS <ul><li>OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML). </li></ul><ul><li>OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards. </li></ul>
  7. 7. Implementing OASIS standards <ul><li>What does the OASIS standards try to address? </li></ul><ul><ul><li>Interoperability </li></ul></ul><ul><ul><li>Common methodology </li></ul></ul><ul><ul><li>Increase efficiency </li></ul></ul><ul><li>Is there a specialized body that’s taken the responsibility of implementing these OASIS standards? </li></ul>
  8. 8. WS-I <ul><li>WS-I Interoperability </li></ul><ul><li>The Web Services-Interoperability Organization (WS-I) is an open, industry organization-chartered to promote Web services interoperability across platforms, operating systems, and programming languages. </li></ul><ul><li>WS- Basic Profile </li></ul><ul><ul><li>http://www.ws-i.org/Profiles/BasicProfile-1.0-2004-04-16.html </li></ul></ul>
  9. 9. WS-I Basic Profile <ul><li>The WS-I Basic Profile defines an interoperable subset of the core Web services specifications, including XML Schema, </li></ul><ul><ul><li>SOAP 1.1 </li></ul></ul><ul><ul><li>WSDL 1.1 </li></ul></ul><ul><ul><li>UDDI 2.0, </li></ul></ul><ul><li>by specifying refinements, interpretations, and clarifications of these specifications. </li></ul>
  10. 10. Basic Profile Specifications <ul><li>Simple Object Access Protocol (SOAP) 1.1 . </li></ul><ul><li>Extensible Markup Language (XML) 1.0 (Second Edition) . </li></ul><ul><li>RFC2616: Hypertext Transfer Protocol -- HTTP/1.1 . </li></ul><ul><li>RFC2965: HTTP State Management Mechanism . </li></ul><ul><li>Web Services Description Language (WSDL) 1.1 . </li></ul><ul><li>XML Schema Part 1: Structures . </li></ul><ul><li>XML Schema Part 2: Datatypes . </li></ul><ul><li>The UDDI Version 2.04 API Published Specification, Dated 19 July 2002 . </li></ul><ul><li>UDDI Version 2.03 Data Structure Reference, Published Specification, Dated 19 July 2002 . </li></ul><ul><li>Version 2.0 UDDI XML Schema 2001 . </li></ul><ul><li>UDDI Version 2.03 Replication Specification, Published Specification, Dated 19 July 2002 . </li></ul><ul><li>Version 2.03 Replication XML Schema 2001 . </li></ul><ul><li>UDDI Version 2.03 XML Custody Schema . </li></ul><ul><li>UDDI Version 2.01Operator's Specification, Published Specification, Dated 19 July 2002 </li></ul>
  11. 11. Web Service Specifications <ul><li>Web services specifications compose together to provide interoperable protocols for Security, Reliable Messaging, and Transactions in loosely coupled systems. The specifications build on top of the core XML and SOAP standards . </li></ul>
  12. 12. Messaging Specifications <ul><li>SOAP WS-Addressing MTOM (Attachments) WS-Eventing WS-Transfer SOAP-over-UDP SOAP 1.1 Binding for MTOM 1.0 </li></ul>
  13. 13. Agenda <ul><li>Web Services Standards </li></ul><ul><ul><li>OASIS </li></ul></ul><ul><ul><li>WS-I </li></ul></ul><ul><li>Web Service Security </li></ul><ul><li>Web Service Management </li></ul><ul><li>Future Enterprise SOA trends </li></ul><ul><ul><li>Web 2.0, Ajax, SaaS </li></ul></ul>
  14. 14. Security Specifications <ul><li>WS-Security: SOAP Message Security WS-Security: UsernameToken Profile WS-Security: X.509 Certificate Token Profile WS-SecureConversation WS-SecurityPolicy WS-Trust WS-Federation WS-Security: Kerberos Binding Web Single Sign-On Interoperability Profile </li></ul>
  15. 15. Web Services Security <ul><li>OASIS Standard 1.1 </li></ul><ul><li>The following documents make up the WS-Security 1.1 OASIS standard.. </li></ul><ul><ul><li>WS-Security Core Specification 1.1 </li></ul></ul><ul><ul><li>Username Token Profile 1.1 </li></ul></ul><ul><ul><li>X.509 Token Profile 1.1 </li></ul></ul><ul><ul><li>SAML Token profile 1.1 </li></ul></ul><ul><ul><li>Kerberos Token Profile 1.1 </li></ul></ul><ul><ul><li>Rights Expression Language (REL) Token Profile 1.1 </li></ul></ul><ul><ul><li>SOAP with Attachments (SWA) Profile 1.1 </li></ul></ul>
  16. 16. What do they solve? <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Non – repudiation </li></ul><ul><ul><li>Digital Signatures & Sign messages </li></ul></ul><ul><li>Data Integrity </li></ul><ul><ul><li>Hashing </li></ul></ul><ul><li>How do they implement it? </li></ul><ul><ul><li>Using Token </li></ul></ul><ul><ul><ul><li>Multiple Implementations : SAML, Kerberos, Certificates Custom tokens </li></ul></ul></ul><ul><ul><ul><li>Certificates are issued by ‘trusted’ vendors – RSA, Verisign </li></ul></ul></ul><ul><ul><ul><li>Kerberos token are used by Windows Operating System manage user credentials </li></ul></ul></ul>
  17. 17. Vendor Implementation of WS Security <ul><li>Microsoft </li></ul><ul><ul><li>Web Services Enhancements </li></ul></ul><ul><ul><li>Windows Communication Framework </li></ul></ul><ul><li>IBM – Soap Extensions to Web Sphere </li></ul><ul><li>BEA </li></ul><ul><li>Sun Java </li></ul><ul><li>Every major vendor has implemented WS Security to their programming stack </li></ul><ul><li>Demo 2 – Microsoft WS Security Implementation using WSE </li></ul><ul><li>However, what is the standard way to exchange these WS Security information programmatically? Is there a preferable markup language that we can use? </li></ul>
  18. 18. What is SAML? <ul><li>Security Assertions Markup Language ( SAML ) is an XML-based framework for Web services that enables the exchange of authentication and authorization </li></ul><ul><ul><li>• Assertions: </li></ul></ul><ul><ul><ul><li>Declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. </li></ul></ul></ul><ul><ul><ul><li>The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item). </li></ul></ul></ul><ul><ul><li>Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. </li></ul></ul><ul><ul><li>Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP. </li></ul></ul><ul><ul><li>Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems. </li></ul></ul><ul><li>Implemented as tokens </li></ul>
  19. 19. WS Federation <ul><li>Federated Security Model </li></ul>
  20. 20. Advantages of Federated Security Model <ul><li>The flexibility of proving one set of credentials to a user (i.e. Certificate by the client) and converting it to another set of credentials (i.e. SAML token) can be utilized in many scenarios to add value to the customers. </li></ul><ul><li>We also have the flexibility of altering our internal (i.e. The client can provide username password pair to replace the certificate) but our external implementation of the claims will not be changed. (i.e. The broker will still create the same SAML token with the username password pair). </li></ul>
  21. 21. More Specifications <ul><li>Reliable Messaging Specifications WS-ReliableMessaging </li></ul><ul><li>Transaction Specifications WS-Coordination WS-AtomicTransaction WS-BusinessActivity </li></ul>
  22. 22. Agenda <ul><li>Web Services Standards </li></ul><ul><ul><li>OASIS </li></ul></ul><ul><ul><li>WS-I </li></ul></ul><ul><li>Web Service Security </li></ul><ul><li>Web Service Management </li></ul><ul><li>Future Enterprise SOA trends </li></ul><ul><ul><li>Web 2.0, Ajax, SaaS </li></ul></ul>
  23. 23. Web Services Management <ul><li>“ Web services enables heterogeneous software environment to share data to facilitate business needs. They support open standards (XML, SOAP, WSDL, UDDI) that will enable a &quot;common communication platform&quot; between distributed business partners. </li></ul><ul><li>Web services can be built on many software platforms. (Microsoft, Java, IBM). All implementations focus on the &quot;creation&quot; and the &quot;consumption&quot; of web services. </li></ul><ul><li>However, the concept of &quot;managing the web service&quot; is not explored in detail. </li></ul>
  24. 24. Web Service Management <ul><li>Is there a framework to provide guidance to manage web services architecture? </li></ul><ul><ul><li>Demo 3 </li></ul></ul><ul><li>Is there a unified set of principals that can be used with heterogeneous technologies to manage web services on multiple software platforms? </li></ul><ul><li>Will WS-Management answer these questions? Can an agent framework be utilized to mange web services features – for example ‘security’?” </li></ul>
  25. 25. Web Service Management Specifications <ul><li>Management Specifications WS-Management WS-Management Catalog </li></ul><ul><li>Business Process Specifications BPEL4WS (Business Process Execution Language for Web Services Specification) </li></ul><ul><li>Demo 4 – Managing SOA apps </li></ul>
  26. 26. Agenda <ul><li>Web Services Standards </li></ul><ul><ul><li>OASIS </li></ul></ul><ul><ul><li>WS-I </li></ul></ul><ul><li>Web Service Security </li></ul><ul><li>Web Service Management </li></ul><ul><li>Future Enterprise SOA trends </li></ul><ul><ul><li>Web 2.0, Ajax, SaaS </li></ul></ul>
  27. 27. Future SOA Trends <ul><li>Rich UI Platforms / Smart Clients </li></ul><ul><ul><li>Ajax / Atlas </li></ul></ul><ul><li>Web 2.0 </li></ul><ul><ul><li>Demo 5 </li></ul></ul><ul><li>Saas (Software as a Service) </li></ul><ul><ul><li>Not a product – but a service! </li></ul></ul><ul><ul><ul><li>Why – more allocation of cost / more control over cost centers </li></ul></ul></ul><ul><li>Infrastructure as a Service </li></ul><ul><ul><li>Demo 6 </li></ul></ul>
  28. 28. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.