Metro Web Services stack
(and .NET 3.x interop)


Harold Carr
Lead architect, Project Metro
Sun Microsystems, Inc.
http://...
Agenda
•   What is Metro ?
•   Metro features
    Security scenarios
•
•   Community, adoption, more info




            ...
What is Metro ?
• Web Services stack from GlassFish community
• Extensible / pluggable architecture
  > Encoding, Protocol...
Metro Interoperability via Standards
• Basic Web Services
  > JAX-WS 2.1 & JAXB 2.1
  > W3C SOAP 1.1/1.2, WSDL 1.1, WS-Add...
Metro Interoperability
      Metro                                           .NET 3.x


      Client                      ...
The Metro Stack

     JAX-WS Tooling, NetBeans & Studio Support Software

    Security     Reliability              Transa...
Metro Processing Pipeline
Client
invoke                                                                           01010001...
Metro Performance




            Metro: The Web services stack in GlassFish   8
Agenda
•   What is Metro ?
•   Metro features
    Security scenarios
•
•   Community, adoption, more info




            ...
Metro Features – Reliable Messaging
Protocol-based Reliability

• Before RM
    > Reliable protocols based on TCP/IP
    >...
Reliable Messaging Operation
  Client                                                                                     ...
Metro Features – Atomic Transactions
Transactional Web services

• Same as EJB RMI-IIOP Transactions
• All operations in T...
Metro Features - Security
End-to-End Security
                                              Before WS-Security
           ...
Trust (getting security tokens)

                         ken
                     t to
                 ues n
           ...
Secure Conversation (optimization)
  WITHOUT Secure Conversation:
   Get key from STS for each msg

                      ...
Secure Conversation (optimization)
  WITH Secure Conversation
   Derive keys from initial STS key

                       ...
Agenda
•   What is Metro ?
•   Metro features
    Security scenarios
•
•   Community, adoption, more info




            ...
Security Scenarios
•   Token creation and validation
    Token expiration
•
•   Identity and attribute extraction for Data...
Token Creation and Validation
                                  AM (Metro SOAP)
                                   STS


 ...
Protocols used in Token Creation scenario
• WS-Transfer/WS-Metadata Exchange
  > Used to obtain service and STS WSDLs
• WS...
Token Expiration
                                  AM (Metro SOAP)
                                   STS




            ...
STS used in SAML Token Creation scenario

• STS == Secure Token Service
  > STS in this example is Sun’s Access Manager (A...
Identity and attribute extraction for Database Search
                               Active Directory (.NET SOAP)

       ...
STS used in DB search scenario

• STS in this example is backed by Active Directory (AD)
• User supplies credentials to au...
Identity Propagation thru multiple web apps &
services      AM (Metro SOAP)
                                              ...
WS-ReliableMessaging

• Used between GetDataWS and AuditWS
• To ensure audit trail
• Ensures all messages sent are receive...
Brokered Trust
                                                                  Active Directory
                        ...
Brokered Trust

•   User supplies credentials to authenticate to STS A (AM)
    Identity is propagated through multiple we...
Before Project Metro
Only WS-I BP 1.1 Interop
                                                                            ...
With Project Metro

                                                                                     Java EE Platform
...
Security Summary
• Web Service Interoperability
   > Java web services using Metro and GlassFish
   > .NET 3.5 web service...
Agenda
•   What is Metro ?
•   Metro features
    Security scenarios
•
•   Community, adoption, more info




            ...
Community
• Visible development at java.net
  > metro, jax-ws, wsit, jax-ws-commons
  > Continuous testing using Hudson
• ...
Metro Runtime & Tools
• Containers (runtime)
  > Integrated in GlassFish V2 and V3
  > Light-weight HTTP server (Java SE 6...
Adoption
•   BEA/Oracle Web Logic Server 10
•   JBoss WS 2.1.0
    IBM JDK Version 6
•
•   Salesforce.com for APEX 8.0 too...
Reference – More Info
• Metro
  > metro.dev.java.net
  > users@metro.dev.java.net
  > https://forums.java.net/jive/forum.j...
Extra Slides




  Metro: The Web services stack in GlassFish   37
Metro Overview
                                                           Commons
                                        ...
Metro Features
Composite Service (Brokered Trust)

     Managed Environment
                               Trust          ...
InfoCard

• CardSpace – Microsoft’s identity metasystem
   > Supports multiple identity systems
   > based on standards (e...
Metro: The Web services stack in GlassFish   41
Demo
Ease-of-use with NetBeans 6 IDE
http://blogs.sun.com/arungupta/entry/screncast_ws7_secure_and_reliable




          ...
Upcoming SlideShare
Loading in …5
×

2009 02 26 Metro Glass Fish Webinar

2,147 views

Published on

Metro, the GlassFish Web Services stack. A presentation by Harold Carr emphasizing the benefits of Metro for interoperability with .Net

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,147
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
80
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2009 02 26 Metro Glass Fish Webinar

  1. 1. Metro Web Services stack (and .NET 3.x interop) Harold Carr Lead architect, Project Metro Sun Microsystems, Inc. http://weblogs.java.net/blog/haroldcarr/ harold.carr@sun.com 1
  2. 2. Agenda • What is Metro ? • Metro features Security scenarios • • Community, adoption, more info Metro: The Web services stack in GlassFish 2
  3. 3. What is Metro ? • Web Services stack from GlassFish community • Extensible / pluggable architecture > Encoding, Protocol and Transport Independence • Security, Reliability, Transactions • High-performance; Production-quality • Programming models > POJO + annotations = Descriptor-free programming > WSDL > Data binding via JAXB (100% XML Schema Support) Metro: The Web services stack in GlassFish 3
  4. 4. Metro Interoperability via Standards • Basic Web Services > JAX-WS 2.1 & JAXB 2.1 > W3C SOAP 1.1/1.2, WSDL 1.1, WS-Addressing, MTOM > WS-I Basic Profile 1.x, SSBP 1.0, AP 1.0, BSP 1.0 • Enterprise Web Services > Oasis: WS-Security, WS-SecureConversation, WS-Trust, WS-SecurityPolicy, WS-ReliableMessaging, WS- AtomicTransactions, WS-Coordintation > W3C: WS-Addressing, WS-Policy, WS-Transfer > WS-MetadataExchange • Same specs implemented by MS .NET 3.x Metro: The Web services stack in GlassFish 4
  5. 5. Metro Interoperability Metro .NET 3.x Client Client Endpoint Endpoint Metro: The Web services stack in GlassFish 5
  6. 6. The Metro Stack JAX-WS Tooling, NetBeans & Studio Support Software Security Reliability Transactions Metadata Secure Conv. Reliable- Atomic- WSDL Trust Messaging Transactions MEX XWSS Coordination Policy SOAP Based Messaging (WSA, MTOM) JAXB Based XML Data Binding (XSD, XPATH) HTTP TCP SMTP Metro: The Web services stack in GlassFish 6
  7. 7. Metro Processing Pipeline Client invoke 01010001... Message Stub TX Reliability WS-A Security HTTP return 11001010... Message Server Message invoke W X Y Z Invoker Head return Message Metro: The Web services stack in GlassFish 7
  8. 8. Metro Performance Metro: The Web services stack in GlassFish 8
  9. 9. Agenda • What is Metro ? • Metro features Security scenarios • • Community, adoption, more info Metro: The Web services stack in GlassFish 9
  10. 10. Metro Features – Reliable Messaging Protocol-based Reliability • Before RM > Reliable protocols based on TCP/IP > Point-to-point • RM brings reliability to SOAP (protocol) layer • Recovery from lost or mis-ordered messages Transparent to application • • Enable use of multiple transports > Works on non TCP/IP transports Metro: The Web services stack in GlassFish 10
  11. 11. Reliable Messaging Operation Client Service RM Source RM Dest Application Application Client data CreateSequence SeqId Client data + SeqId + Msg Id Client data Srv data Srv data + SeqAck Srv data Client data Client data + SeqId + Msg Id Client data Srv data + SeqAck Srv data Client data + SeqId + Msg Id Client data Srv data + SeqAck Srv data close LastMsg + SeqId + Msg Id SeqAck Terminate + SeqId HTTP 202 Metro: The Web services stack in GlassFish 11
  12. 12. Metro Features – Atomic Transactions Transactional Web services • Same as EJB RMI-IIOP Transactions • All operations in TX boundary succeed or rollback • Now available with web services Metro: The Web services stack in GlassFish 12
  13. 13. Metro Features - Security End-to-End Security Before WS-Security SSL/HTTPS ● SSL Security at transport layer ● All or nothing granularity ● Point-to-point ● WS-Security Security at SOAP (protocol) layer ● SS XW Fine granularity possible ● XW SS Only sign/encrypt credit card # ● (e.g., XML subtree) Works on non-TCP/IP transports ● Integrity, Confidentiality, Auth ● W3C XML Signature/Encryption ● Metro: The Web services stack in GlassFish 13
  14. 14. Trust (getting security tokens) ken t to ues n q Re toke STS (e.g., Access Manager) 3. 4. 1. wsimport (MEX or ?wsdl) 2. WSDL + Policy with STS address .NET 3.x .NET 3.x or 5. client msg signed/encrypted with token or Java Java 6. server response signed/encrypted with token Metro: The Web services stack in GlassFish 14
  15. 15. Secure Conversation (optimization) WITHOUT Secure Conversation: Get key from STS for each msg 1 msg A f or token 2 2. msg B for STS (e.g., Access Manager) token 4. 1. get WSDL 3. msg 1 signed/encrypted with token A .NET 3.x .NET 3.x 5. msg 2 signed/encrypted with token B or or Java Java Metro: The Web services stack in GlassFish 15
  16. 16. Secure Conversation (optimization) WITH Secure Conversation Derive keys from initial STS key 1 msg for en A k 2. to STS (e.g., Access Manager) 1. get WSDL 3. msg 1 signed/encrypted with token A .NET 3.x .NET 3.x 4. msg 2 signed/encrypted with derived key or or Java Java Metro: The Web services stack in GlassFish 16
  17. 17. Agenda • What is Metro ? • Metro features Security scenarios • • Community, adoption, more info Metro: The Web services stack in GlassFish 17
  18. 18. Security Scenarios • Token creation and validation Token expiration • • Identity and attribute extraction for Database search • Identity propagation > thru multiple web apps & services • Brokered trust Metro: The Web services stack in GlassFish 18
  19. 19. Token Creation and Validation AM (Metro SOAP) STS 2a. 2b . GetDataWS Client (GF/Metro SOAP) (.NET SOAP) 1. 2c. 3. 1. HTTPS/MEX to get GetDataWS WSDL 1a. GetDataWS has WSDL that indicates SAML token required from STS 2. getData called. 2a. HTTPS/MEX to get STS WSDL. 2b: HTTP/SAML security to do STS operation to get Token. 2c: Pass token w/Attribute inserted directly in token to GetDataWS 3. GetDataWS returns result when valid token received. Metro: The Web services stack in GlassFish 19
  20. 20. Protocols used in Token Creation scenario • WS-Transfer/WS-Metadata Exchange > Used to obtain service and STS WSDLs • WS-Trust > Used by client to obtain security token from STS • WS-Security > Used to sign/encrypt messages between client and service • STS = Secure Token Service > Sun Access Manager (AM) in this example > Uses SAML tokens > More on STS and SAML in subsequent slides Metro: The Web services stack in GlassFish 20
  21. 21. Token Expiration AM (Metro SOAP) STS GetDataWS Client (GF/Metro SOAP) (.NET SOAP) 1. Same setup / interaction as previous slide. 1. Change token expiration on STS to 5 seconds. 2. After getting token from STS have client sleep 10 seconds then call getData. Should receive “invalid token” fault 3. Change token expiration on STS to 15 seconds. 4. After getting token from STS have client sleep 10 seconds then call getData. Should now receive valid result. Metro: The Web services stack in GlassFish 21
  22. 22. STS used in SAML Token Creation scenario • STS == Secure Token Service > STS in this example is Sun’s Access Manager (AM) • SAML == Security Assertion Markup Language • SAML tokens generated by STS specify details ('claims') about client to server > Tokens have predefined elements & attributes > Token can include user-defined claims • Token includes 'expires' element > STS (in this example) sets ‘expires’ to 15 seconds Metro: The Web services stack in GlassFish 22
  23. 23. Identity and attribute extraction for Database Search Active Directory (.NET SOAP) STS 2a. 1. GetDataWS 2b. Client 3. (IIS .NET SOAP) (Metro SOAP) 1. HTTPS/MEX to get GetDataWS WSDL. 1a. GetDataWS has WSDL that indicates SAML token required from STS 2. User A (permission to SOME data) logs in and calls getData. 2a. HTTPS/MEX and HTTP/SAML STS interaction. 2b. Pass token w/Attribute inserted directly in token to GetDataWS 3. Use token to determine user role. Result should be a subset of data (e.g., 5 rows). User B (permission to ALL data) logs in and does SAME query. Result should be all data (e.g., 10 rows). Metro: The Web services stack in GlassFish 23
  24. 24. STS used in DB search scenario • STS in this example is backed by Active Directory (AD) • User supplies credentials to authenticate to Active Directory (username/password, X.509, etc) • STS issues SAML token with claims regarding user > Identity > STS inserts additional claim regarding the users ROLE – (as defined in AD) • GetDataWS verifies SAML token issued by trusted STS • Role extracted from SAML token > Used in DB access Metro: The Web services stack in GlassFish 24
  25. 25. Identity Propagation thru multiple web apps & services AM (Metro SOAP) AuditDB STS A AuditWS (GF/Metro SOAP) GetData Web App GetDataWS (GF/Metro SOAP) (IIS .NET SOAP) +RM RecordsDB Client (browser using CardSpace) 1. Browser-based client authenticates via CardSpace + AM 2. Client does call on GetData Web Application. 3. GetData WA calls GetDataWS.getData. 3a. GetDataWS will get data from RecordsDB. 3a. GetDataWS will also call AuditWS.audit. Will use WS-RM. Validate: record must be retrieved correctly and AuditDB verified. Audit record should show User A, time, Application, GetDataWS and RecordsDB. NOTE: GetDataWs and AuditWS also secured The Web services stack in GlassFish using initial client token. Metro: 25
  26. 26. WS-ReliableMessaging • Used between GetDataWS and AuditWS • To ensure audit trail • Ensures all messages sent are received Metro: The Web services stack in GlassFish 26
  27. 27. Brokered Trust Active Directory AM (Metro SOAP) AuditDB (.NET SOAP) STS STS A B AuditWS (GF/Metro SOAP) GetData Web App GetDataWS (GF/Metro SOAP) (IIS .NET SOAP) +RM RecordsDB Client (browser using CardSpace) Same as previous scenario except: GetDataWS has trust relationship with STS A, AuditWS has trust relationship with STS B. STS A and B trust each other. Metro: The Web services stack in GlassFish 27
  28. 28. Brokered Trust • User supplies credentials to authenticate to STS A (AM) Identity is propagated through multiple web apps/services • AuditWS does not know/trust STS A (AM) • AuditWS trusts STS B (AD) • STS B has a trust relationship with STS A (via WS-Trust) • • STS B can use STS A to validate identity Metro: The Web services stack in GlassFish 28
  29. 29. Before Project Metro Only WS-I BP 1.1 Interop Java EE Platform .NET Microsoft Sun Trust Trust Managed Managed Authority Authority Project GlassFish™ BP 1.1 .Net Wholesale Retail Quote Service Service 1 .1 BP Project GlassFish Java WCF Wholesale Client Client Quote Service Metro: The Web services stack in GlassFish 29
  30. 30. With Project Metro Java EE Platform .NET Microsoft Sun Trust Trust Managed Managed Authority Authority Trust WS WS-Tru -T st Project GlassFish™ .Net Wholesale Retail Quote Service Service QOS Security Interop. Project GlassFish STS Wholesale Java WCF Quote Service Client Client Metro: The Web services stack in GlassFish 30
  31. 31. Security Summary • Web Service Interoperability > Java web services using Metro and GlassFish > .NET 3.5 web services using Windows Communication Foundation • Identity > Sun Access Manager > (Microsoft Active Directory) > WS-Trust > SAML > InfoCard • Security > SAML, WS-Security, WS-SecureConversation, WS-SecurityPolicy Metro: The Web services stack in GlassFish 31
  32. 32. Agenda • What is Metro ? • Metro features Security scenarios • • Community, adoption, more info Metro: The Web services stack in GlassFish 32
  33. 33. Community • Visible development at java.net > metro, jax-ws, wsit, jax-ws-commons > Continuous testing using Hudson • Fully Open-source > CDDL and GPL v2 license > Source code, Emails, Forums • Light-weight committer process > to encourage external contributions • Features driven by users and community > Spring, SMTP, JSON, Stateful Web service, etc. Metro: The Web services stack in GlassFish 33
  34. 34. Metro Runtime & Tools • Containers (runtime) > Integrated in GlassFish V2 and V3 > Light-weight HTTP server (Java SE 6) > JBoss WS 2.1.0, BEA WLS 10, IBM JDK Version 6, TmaxSoft JEUS, Tomcat, Jetty > Any Servlet-2.4 container • Development Tools Command-line: wsimport, wsgen > NetBeans IDE > Maven plugins > Eclipse (SOAP UI plugin) > Metro: The Web services stack in GlassFish 34
  35. 35. Adoption • BEA/Oracle Web Logic Server 10 • JBoss WS 2.1.0 IBM JDK Version 6 • • Salesforce.com for APEX 8.0 toolkit • Many others ... > TmaxSoft, Worldspan, MailVision Ltd., MyUniPortal, Nortrop Grumman Corporation, Cordys, SLIB, Expeditors International, Cast Iron Systems, Covergence, National Science Foundation, etc. Metro: The Web services stack in GlassFish 35
  36. 36. Reference – More Info • Metro > metro.dev.java.net > users@metro.dev.java.net > https://forums.java.net/jive/forum.jspa?forumID=46 > http://feeds.feedburner.com/MetroBlogs • GlassFish Community > glassfish.java.net > blogs.sun.com/theaquarium • Access Manager and OpenSSO blogs: > http://planets.sun.com/OpenSSO/ > http://developers.sun.com/identity/ > http://www.sun.com/software/products/access_mgr/index.jsp > http://opensso.org/ > http://blogs.sun.com/main/tags/infocard Metro: The Web services stack in GlassFish 36
  37. 37. Extra Slides Metro: The Web services stack in GlassFish 37
  38. 38. Metro Overview Commons SMTP ... Security Reliability Transactions Spring JSON SOAP HTTP Web Services Core ... JAXB JAXP SAAJ XML Processing Metro – GlassFish Web Services Stack metro.dev.java.net Metro: The Web services stack in GlassFish 38
  39. 39. Metro Features Composite Service (Brokered Trust) Managed Environment Trust Trust Service Trust Authority Provider Authority Service Service Provider Provider Service Consumer Unmanaged Environment Metro: The Web services stack in GlassFish 39
  40. 40. InfoCard • CardSpace – Microsoft’s identity metasystem > Supports multiple identity systems > based on standards (e.g., WS-Security, WS-Trust, WS- MetadataExchange, WS-SecurityPolicy) • Users download cards from identity providers > their bank/etc, or create their own self-issued cards • Cards used to convey any info from identity provider to relying party that makes sense to both of them • CardSpace allows the user to select a card that provides identity and required claims to STS • Sun’s Access Manager supports InfoCard using its own identity system • SAML token returned by STS includes identity is propagated and verified by Metro and .NET based services Metro: The Web services stack in GlassFish 40
  41. 41. Metro: The Web services stack in GlassFish 41
  42. 42. Demo Ease-of-use with NetBeans 6 IDE http://blogs.sun.com/arungupta/entry/screncast_ws7_secure_and_reliable Metro: The Web services stack in GlassFish 42

×