Metro Web Services stack
(and .NET 3.x interop)
Harold Carr
Lead architect, Project Metro
Sun Microsystems, Inc.
http://weblogs.java.net/blog/haroldcarr/
harold.carr@sun.com 1

Agenda
• What is Metro ?
• Metro features
Security scenarios
•
• Community, adoption, more info
Metro: The Web services stack in GlassFish 2

What is Metro ?
• Web Services stack from GlassFish community
• Extensible / pluggable architecture
> Encoding, Protocol and Transport Independence
• Security, Reliability, Transactions
• High-performance; Production-quality
• Programming models
> POJO + annotations = Descriptor-free programming
> WSDL
> Data binding via JAXB (100% XML Schema Support)
Metro: The Web services stack in GlassFish 3

Metro Interoperability via Standards
• Basic Web Services
> JAX-WS 2.1 & JAXB 2.1
> W3C SOAP 1.1/1.2, WSDL 1.1, WS-Addressing, MTOM
> WS-I Basic Profile 1.x, SSBP 1.0, AP 1.0, BSP 1.0
• Enterprise Web Services
> Oasis: WS-Security, WS-SecureConversation, WS-Trust,
WS-SecurityPolicy, WS-ReliableMessaging, WS-
AtomicTransactions, WS-Coordintation
> W3C: WS-Addressing, WS-Policy, WS-Transfer
> WS-MetadataExchange
• Same specs implemented by MS .NET 3.x
Metro: The Web services stack in GlassFish 4

Metro Interoperability
Metro .NET 3.x
Client Client
Endpoint Endpoint
Metro: The Web services stack in GlassFish 5

The Metro Stack
JAX-WS Tooling, NetBeans & Studio Support Software
Security Reliability Transactions Metadata
Secure Conv. Reliable- Atomic- WSDL
Trust Messaging Transactions MEX
XWSS Coordination Policy
SOAP Based Messaging (WSA, MTOM)
JAXB Based XML Data Binding (XSD, XPATH)
HTTP TCP SMTP
Metro: The Web services stack in GlassFish 6

Metro Processing Pipeline
Client
invoke 01010001...
Message
Stub TX Reliability WS-A Security HTTP
return 11001010...
Message
Server
Message invoke
W X Y Z Invoker
Head
return
Message
Metro: The Web services stack in GlassFish 7

Metro Performance
Metro: The Web services stack in GlassFish 8

Agenda
• What is Metro ?
• Metro features
Security scenarios
•
• Community, adoption, more info
Metro: The Web services stack in GlassFish 9

Metro Features – Reliable Messaging
Protocol-based Reliability
• Before RM
> Reliable protocols based on TCP/IP
> Point-to-point
• RM brings reliability to SOAP (protocol) layer
• Recovery from lost or mis-ordered messages
Transparent to application
•
• Enable use of multiple transports
> Works on non TCP/IP transports
Metro: The Web services stack in GlassFish 10

Reliable Messaging Operation
Client Service
RM Source RM Dest
Application Application
Client data CreateSequence
SeqId
Client data + SeqId + Msg Id Client data
Srv data Srv data + SeqAck Srv data
Client data Client data + SeqId + Msg Id Client data
Srv data + SeqAck Srv data
Client data + SeqId + Msg Id Client data
Srv data + SeqAck Srv data
close LastMsg + SeqId + Msg Id
SeqAck
Terminate + SeqId
HTTP 202
Metro: The Web services stack in GlassFish 11

Metro Features – Atomic Transactions
Transactional Web services
• Same as EJB RMI-IIOP Transactions
• All operations in TX boundary succeed or rollback
• Now available with web services
Metro: The Web services stack in GlassFish 12

Metro Features - Security
End-to-End Security
Before WS-Security
SSL/HTTPS
●
SSL Security at transport layer
●
All or nothing granularity
●
Point-to-point
●
WS-Security
Security at SOAP (protocol) layer
●
SS
XW
Fine granularity possible
●
XW
SS
Only sign/encrypt credit card #
●
(e.g., XML subtree)
Works on non-TCP/IP transports
●
Integrity, Confidentiality, Auth
●
W3C XML Signature/Encryption
●
Metro: The Web services stack in GlassFish 13

Trust (getting security tokens)
ken
t to
ues n
q
Re toke STS (e.g., Access Manager)
3. 4.
1. wsimport (MEX or ?wsdl)
2. WSDL + Policy with STS address
.NET 3.x .NET 3.x
or 5. client msg signed/encrypted with token or
Java Java
6. server response signed/encrypted with token
Metro: The Web services stack in GlassFish 14

Secure Conversation (optimization)
WITHOUT Secure Conversation:
Get key from STS for each msg
1
msg
A f or
token 2
2. msg
B for STS (e.g., Access Manager)
token
4.
1. get WSDL
3. msg 1 signed/encrypted with token A
.NET 3.x .NET 3.x
5. msg 2 signed/encrypted with token B
or or
Java Java
Metro: The Web services stack in GlassFish 15

Secure Conversation (optimization)
WITH Secure Conversation
Derive keys from initial STS key
1
msg
for
en A
k
2. to STS (e.g., Access Manager)
1. get WSDL
3. msg 1 signed/encrypted with token A
.NET 3.x .NET 3.x
4. msg 2 signed/encrypted with derived key
or or
Java Java
Metro: The Web services stack in GlassFish 16

Agenda
• What is Metro ?
• Metro features
Security scenarios
•
• Community, adoption, more info
Metro: The Web services stack in GlassFish 17

Security Scenarios
• Token creation and validation
Token expiration
•
• Identity and attribute extraction for Database search
• Identity propagation
> thru multiple web apps & services
• Brokered trust
Metro: The Web services stack in GlassFish 18

Token Creation and Validation
AM (Metro SOAP)
STS
2a.
2b . GetDataWS
Client
(GF/Metro SOAP)
(.NET SOAP) 1.
2c.
3.
1. HTTPS/MEX to get GetDataWS WSDL
1a. GetDataWS has WSDL that indicates SAML token required from STS
2. getData called.
2a. HTTPS/MEX to get STS WSDL.
2b: HTTP/SAML security to do STS operation to get Token.
2c: Pass token w/Attribute inserted directly in token to GetDataWS
3. GetDataWS returns result when valid token received.
Metro: The Web services stack in GlassFish 19

Protocols used in Token Creation scenario
• WS-Transfer/WS-Metadata Exchange
> Used to obtain service and STS WSDLs
• WS-Trust
> Used by client to obtain security token from STS
• WS-Security
> Used to sign/encrypt messages between client and
service
• STS = Secure Token Service
> Sun Access Manager (AM) in this example
> Uses SAML tokens
> More on STS and SAML in subsequent slides
Metro: The Web services stack in GlassFish 20

Token Expiration
AM (Metro SOAP)
STS
GetDataWS
Client
(GF/Metro SOAP)
(.NET SOAP)
1. Same setup / interaction as previous slide.
1. Change token expiration on STS to 5 seconds.
2. After getting token from STS have client sleep 10 seconds
then call getData. Should receive “invalid token” fault
3. Change token expiration on STS to 15 seconds.
4. After getting token from STS have client sleep 10 seconds
then call getData. Should now receive valid result.
Metro: The Web services stack in GlassFish 21

STS used in SAML Token Creation scenario
• STS == Secure Token Service
> STS in this example is Sun’s Access Manager (AM)
• SAML == Security Assertion Markup Language
• SAML tokens generated by STS specify details
('claims') about client to server
> Tokens have predefined elements & attributes
> Token can include user-defined claims
• Token includes 'expires' element
> STS (in this example) sets ‘expires’ to 15 seconds
Metro: The Web services stack in GlassFish 22

Identity and attribute extraction for Database Search
Active Directory (.NET SOAP)
STS
2a.
1.
GetDataWS
2b.
Client 3. (IIS .NET SOAP)
(Metro SOAP)
1. HTTPS/MEX to get GetDataWS WSDL.
1a. GetDataWS has WSDL that indicates SAML token required from STS
2. User A (permission to SOME data) logs in and calls getData.
2a. HTTPS/MEX and HTTP/SAML STS interaction.
2b. Pass token w/Attribute inserted directly in token to GetDataWS
3. Use token to determine user role.
Result should be a subset of data (e.g., 5 rows).
User B (permission to ALL data) logs in and does SAME query.
Result should be all data (e.g., 10 rows).
Metro: The Web services stack in GlassFish 23

STS used in DB search scenario
• STS in this example is backed by Active Directory (AD)
• User supplies credentials to authenticate to Active Directory
(username/password, X.509, etc)
• STS issues SAML token with claims regarding user
> Identity
> STS inserts additional claim regarding the users ROLE
– (as defined in AD)
• GetDataWS verifies SAML token issued by trusted STS
• Role extracted from SAML token
> Used in DB access
Metro: The Web services stack in GlassFish 24

Identity Propagation thru multiple web apps &
services AM (Metro SOAP)
AuditDB
STS
A
AuditWS
(GF/Metro SOAP)
GetData Web App GetDataWS
(GF/Metro SOAP) (IIS .NET SOAP)
+RM
RecordsDB
Client
(browser
using CardSpace)
1. Browser-based client authenticates via CardSpace + AM
2. Client does call on GetData Web Application.
3. GetData WA calls GetDataWS.getData.
3a. GetDataWS will get data from RecordsDB.
3a. GetDataWS will also call AuditWS.audit. Will use WS-RM.
Validate: record must be retrieved correctly and AuditDB verified.
Audit record should show User A, time, Application, GetDataWS and RecordsDB.
NOTE: GetDataWs and AuditWS also secured The Web services stack in GlassFish
using initial client token.
Metro: 25

WS-ReliableMessaging
• Used between GetDataWS and AuditWS
• To ensure audit trail
• Ensures all messages sent are received
Metro: The Web services stack in GlassFish 26

Brokered Trust
Active Directory
AM (Metro SOAP) AuditDB
(.NET SOAP)
STS STS
A B
AuditWS
(GF/Metro SOAP)
GetData Web App GetDataWS
(GF/Metro SOAP) (IIS .NET SOAP)
+RM RecordsDB
Client
(browser
using CardSpace)
Same as previous scenario except:
GetDataWS has trust relationship with STS A,
AuditWS has trust relationship with STS B.
STS A and B trust each other.
Metro: The Web services stack in GlassFish 27

Brokered Trust
• User supplies credentials to authenticate to STS A (AM)
Identity is propagated through multiple web apps/services
•
AuditWS does not know/trust STS A (AM)
•
AuditWS trusts STS B (AD)
•
STS B has a trust relationship with STS A (via WS-Trust)
•
• STS B can use STS A to validate identity
Metro: The Web services stack in GlassFish 28

Before Project Metro
Only WS-I BP 1.1 Interop
Java EE Platform
.NET
Microsoft Sun
Trust
Trust
Managed Managed
Authority Authority
Project GlassFish™
BP 1.1
.Net Wholesale
Retail Quote Service
Service
1 .1
BP
Project GlassFish
Java WCF Wholesale
Client Client Quote Service
Metro: The Web services stack in GlassFish 29

With Project Metro
Java EE Platform
.NET
Microsoft Sun
Trust
Trust
Managed Managed
Authority Authority
Trust
WS
WS-Tru -T
st
Project GlassFish™
.Net Wholesale
Retail Quote Service
Service
QOS Security
Interop.
Project GlassFish
STS
Wholesale
Java
WCF Quote Service
Client
Client
Metro: The Web services stack in GlassFish 30

Security Summary
• Web Service Interoperability
> Java web services using Metro and GlassFish
> .NET 3.5 web services using Windows Communication Foundation
• Identity
> Sun Access Manager
> (Microsoft Active Directory)
> WS-Trust
> SAML
> InfoCard
• Security
> SAML, WS-Security, WS-SecureConversation, WS-SecurityPolicy
Metro: The Web services stack in GlassFish 31

Agenda
• What is Metro ?
• Metro features
Security scenarios
•
• Community, adoption, more info
Metro: The Web services stack in GlassFish 32

Community
• Visible development at java.net
> metro, jax-ws, wsit, jax-ws-commons
> Continuous testing using Hudson
• Fully Open-source
> CDDL and GPL v2 license
> Source code, Emails, Forums
• Light-weight committer process
> to encourage external contributions
• Features driven by users and community
> Spring, SMTP, JSON, Stateful Web service, etc.
Metro: The Web services stack in GlassFish 33

Metro Runtime & Tools
• Containers (runtime)
> Integrated in GlassFish V2 and V3
> Light-weight HTTP server (Java SE 6)
> JBoss WS 2.1.0, BEA WLS 10, IBM JDK Version 6,
TmaxSoft JEUS, Tomcat, Jetty
> Any Servlet-2.4 container
• Development Tools
Command-line: wsimport, wsgen
>
NetBeans IDE
>
Maven plugins
>
Eclipse (SOAP UI plugin)
>
Metro: The Web services stack in GlassFish 34

Adoption
• BEA/Oracle Web Logic Server 10
• JBoss WS 2.1.0
IBM JDK Version 6
•
• Salesforce.com for APEX 8.0 toolkit
• Many others ...
> TmaxSoft, Worldspan, MailVision Ltd., MyUniPortal,
Nortrop Grumman Corporation, Cordys, SLIB, Expeditors
International, Cast Iron Systems, Covergence, National
Science Foundation, etc.
Metro: The Web services stack in GlassFish 35

Reference – More Info
• Metro
> metro.dev.java.net
> users@metro.dev.java.net
> https://forums.java.net/jive/forum.jspa?forumID=46
> http://feeds.feedburner.com/MetroBlogs
• GlassFish Community
> glassfish.java.net
> blogs.sun.com/theaquarium
• Access Manager and OpenSSO blogs:
> http://planets.sun.com/OpenSSO/
> http://developers.sun.com/identity/
> http://www.sun.com/software/products/access_mgr/index.jsp
> http://opensso.org/
> http://blogs.sun.com/main/tags/infocard
Metro: The Web services stack in GlassFish 36

Extra Slides
Metro: The Web services stack in GlassFish 37

Metro Overview
Commons
SMTP
...
Security Reliability Transactions Spring
JSON
SOAP HTTP
Web Services Core
...
JAXB JAXP SAAJ
XML Processing
Metro – GlassFish Web Services Stack
metro.dev.java.net
Metro: The Web services stack in GlassFish 38

Metro Features
Composite Service (Brokered Trust)
Managed Environment
Trust Trust Service
Trust
Authority Provider
Authority
Service
Service
Provider
Provider
Service
Consumer
Unmanaged Environment
Metro: The Web services stack in GlassFish 39

InfoCard
• CardSpace – Microsoft’s identity metasystem
> Supports multiple identity systems
> based on standards (e.g., WS-Security, WS-Trust, WS-
MetadataExchange, WS-SecurityPolicy)
• Users download cards from identity providers
> their bank/etc, or create their own self-issued cards
• Cards used to convey any info from identity provider to relying party that
makes sense to both of them
• CardSpace allows the user to select a card that provides identity and
required claims to STS
• Sun’s Access Manager supports InfoCard using its own identity system
• SAML token returned by STS includes identity is propagated and verified
by Metro and .NET based services
Metro: The Web services stack in GlassFish 40

Metro: The Web services stack in GlassFish 41

Demo
Ease-of-use with NetBeans 6 IDE
http://blogs.sun.com/arungupta/entry/screncast_ws7_secure_and_reliable
Metro: The Web services stack in GlassFish 42