This document discusses stateful web services and techniques for managing state in web services. It introduces key concepts like web services, SOAP, WSDL, and methods for discovering web services. The document outlines that web services are inherently stateless but state is difficult to avoid in situations like user sessions. It then describes techniques for managing state, including storing state in memory or a database. A generalized model is presented involving a token generator, repository to store session state, and services to initiate and terminate sessions. The document concludes that a session-oriented design may be desirable in some cases but to carefully consider the pros and cons of different design styles.
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
APIs have become a strategic necessity for your business. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. With data breaches now costing $400m or more, senior IT decision makers are right to be concerned about API security.
In this SlideShare, you'll learn:
-The top API security concerns
-How the IT industry is dealing with those concerns
-How Anypoint Platform ensures the three qualifications needed to keep APIs secure
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn:
• The top ways hackers exploit APIs in the wild
• Common identity pitfalls and how to avoid them
• Why OAuth scopes are essential to master
• How to keep web developers from bringing bad habits with them
Everything you want to know about microservicesYouness Lasmak
Introduction to microservices architecture, each chapter in the presentation target a step in your journey to build distributed system based on micro-services architecture form the design to the delivery
check my the explanation on the YouTube playlist
https://youtube.com/playlist?list=PLl0FlSJn8Rjxyo7Qx0JEOhLap9u6Lc-Bf
and on the CloudReady blog
https://www.cloudready.club
Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
Microservices are a true hype these days. Netflix, Amazon, eBay, … are all using microservices, but why? The idea is simple; split your application into multiple services which can evolve autonomously through time. The name suggests to keep these services small. Conceptually this seems not all that different from a classical Service Oriented Architecture (SOA). Nonetheless, microservices do offer a new perspective. A monolithic application is divided into a couple small services which can be independently developed, deployed and scaled. Flexibility is increased, but using this model also has some pitfalls.This session sheds a light on the microservices landscape; the key drivers for using the pattern, tooling to support development and maintenance, and the pros and cons that go with it. We’ll also introduce some key design principles that can be used in creating and modelling these modular enterprise applications.
Blockchain: the trust fabric for next generation digital identity managementEY
As business models become more complex and mature, it is clear that we need to adopt an identity access management ecosystem (IAM) to support business transformations.
Learn how blockchain can transform authentication and authorization models within IAM and how to leverage blockchain to address current and emerging use cases.
GSX provides out-of-the box monitoring & reporting to ensure your Office 365 applications are performing
the way they should at all times, ensuring smooth and uninterrupted service delivery.
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
Many applications with high-sensitivity workloads require enhanced technical options to control and limit access to confidential and regulated data. In some cases, system requirements or compliance obligations dictate a separation of duties for staff operating the database and those who maintain the application layer. In cloud-hosted environments, certain data are sometimes deemed too sensitive to store on third-party infrastructure. This is a common pain for system architects in the healthcare, finance, and consumer tech sectors — the benefits of managed, easily expanded compute and storage have been considered unavailable because of data confidentiality and privacy concerns.
This session will take a deep dive into new security capabilities in MongoDB 4.2 that address these scenarios, by enabling native client-side field-level encryption, using customer-managed keys. We will review how confidential data can be securely stored and easily accessed by applications running on MongoDB. Common query design patterns will be presented, with example code demonstrating strong end-to-end encryption in Atlas or on-premise. Implications for developers and others designing systems in regulated environments will be discussed, followed by a Q&A with senior MongoDB security engineers.
A Web Service is can be defined by following:
It is a client-server application or application component for communication.
The method of communication between two devices over the network.
It is a software system for the interoperable machine to machine communication.
It is a collection of standards or protocols for exchanging information between two devices or application.
Maneuver Your Enterprise Data With WSO2 Data Service ServerPrabath Abeysekara
I\'ve come up with this presentation for the webinar organized by the WSO2 Data Services Team with an intention of introducing the rich set of features exposed by the WSO2 Data Services Server, to the interested community.
Further details related to this webinar can be found at : http://wso2.org/library/webinars/2011/04/maneuver-your-enterprise-data-wso2-data-services-server
APIs have become a strategic necessity for your business. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. With data breaches now costing $400m or more, senior IT decision makers are right to be concerned about API security.
In this SlideShare, you'll learn:
-The top API security concerns
-How the IT industry is dealing with those concerns
-How Anypoint Platform ensures the three qualifications needed to keep APIs secure
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn:
• The top ways hackers exploit APIs in the wild
• Common identity pitfalls and how to avoid them
• Why OAuth scopes are essential to master
• How to keep web developers from bringing bad habits with them
Everything you want to know about microservicesYouness Lasmak
Introduction to microservices architecture, each chapter in the presentation target a step in your journey to build distributed system based on micro-services architecture form the design to the delivery
check my the explanation on the YouTube playlist
https://youtube.com/playlist?list=PLl0FlSJn8Rjxyo7Qx0JEOhLap9u6Lc-Bf
and on the CloudReady blog
https://www.cloudready.club
Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
Microservices are a true hype these days. Netflix, Amazon, eBay, … are all using microservices, but why? The idea is simple; split your application into multiple services which can evolve autonomously through time. The name suggests to keep these services small. Conceptually this seems not all that different from a classical Service Oriented Architecture (SOA). Nonetheless, microservices do offer a new perspective. A monolithic application is divided into a couple small services which can be independently developed, deployed and scaled. Flexibility is increased, but using this model also has some pitfalls.This session sheds a light on the microservices landscape; the key drivers for using the pattern, tooling to support development and maintenance, and the pros and cons that go with it. We’ll also introduce some key design principles that can be used in creating and modelling these modular enterprise applications.
Blockchain: the trust fabric for next generation digital identity managementEY
As business models become more complex and mature, it is clear that we need to adopt an identity access management ecosystem (IAM) to support business transformations.
Learn how blockchain can transform authentication and authorization models within IAM and how to leverage blockchain to address current and emerging use cases.
GSX provides out-of-the box monitoring & reporting to ensure your Office 365 applications are performing
the way they should at all times, ensuring smooth and uninterrupted service delivery.
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
Many applications with high-sensitivity workloads require enhanced technical options to control and limit access to confidential and regulated data. In some cases, system requirements or compliance obligations dictate a separation of duties for staff operating the database and those who maintain the application layer. In cloud-hosted environments, certain data are sometimes deemed too sensitive to store on third-party infrastructure. This is a common pain for system architects in the healthcare, finance, and consumer tech sectors — the benefits of managed, easily expanded compute and storage have been considered unavailable because of data confidentiality and privacy concerns.
This session will take a deep dive into new security capabilities in MongoDB 4.2 that address these scenarios, by enabling native client-side field-level encryption, using customer-managed keys. We will review how confidential data can be securely stored and easily accessed by applications running on MongoDB. Common query design patterns will be presented, with example code demonstrating strong end-to-end encryption in Atlas or on-premise. Implications for developers and others designing systems in regulated environments will be discussed, followed by a Q&A with senior MongoDB security engineers.
A Web Service is can be defined by following:
It is a client-server application or application component for communication.
The method of communication between two devices over the network.
It is a software system for the interoperable machine to machine communication.
It is a collection of standards or protocols for exchanging information between two devices or application.
Maneuver Your Enterprise Data With WSO2 Data Service ServerPrabath Abeysekara
I\'ve come up with this presentation for the webinar organized by the WSO2 Data Services Team with an intention of introducing the rich set of features exposed by the WSO2 Data Services Server, to the interested community.
Further details related to this webinar can be found at : http://wso2.org/library/webinars/2011/04/maneuver-your-enterprise-data-wso2-data-services-server
Denodo 6.0: Self Service Search, Discovery & Governance using an Universal Se...Denodo
Presentation slides taken from Fast Data Strategy Roadshow San Francisco Bay Area.
For more Denodo 6-0 demos, please follow this link:https://goo.gl/XkxJjX
1. Stateful Web ServicesStateful Web Services
By:By:
Muhammad Jawaid ShamshadMuhammad Jawaid Shamshad
MS/PhD (CS)MS/PhD (CS)
052210052210
Advisor:Advisor:
Aslam Parvez MemonAslam Parvez Memon
2. AgendaAgenda
► IntroductionIntroduction
► Terms and ConceptsTerms and Concepts
Web ServicesWeb Services
WSDLWSDL
Discovering Web Services (UDDI, ebXML)Discovering Web Services (UDDI, ebXML)
► Introduction to StateIntroduction to State
► Need for State ManagementNeed for State Management
► State Management TechniquesState Management Techniques
In-MemoryIn-Memory
DatabaseDatabase
► Generalized ModelGeneralized Model
► ConclusionConclusion
► Literature SourcesLiterature Sources
► Q & AQ & A
3. IntroductionIntroduction
►Web services are by nature statelessWeb services are by nature stateless
►Situations where state management isSituations where state management is
difficult to avoiddifficult to avoid
Example: User SessionsExample: User Sessions
►How to manage state in web services?How to manage state in web services?
4. Terms and ConceptsTerms and Concepts
►Web ServiceWeb Service
►SOAPSOAP
►WSDLWSDL
►Discovering Web ServiceDiscovering Web Service
UDDIUDDI
ebXMLebXML
5. Web ServiceWeb Service
►DefinitionDefinition
"Web services are software applications that"Web services are software applications that
can be discovered, described, and accessedcan be discovered, described, and accessed
based on XML and standard Web protocolsbased on XML and standard Web protocols
over intranets, extranets, and the Internet“over intranets, extranets, and the Internet“
►Main focus is interoperabilityMain focus is interoperability
►Uses SOAP protocol as syntax of messageUses SOAP protocol as syntax of message
and uses HTTP to transfer that messageand uses HTTP to transfer that message
6. SOAPSOAP
►DefinitionDefinition
““Lightweight protocol for exchange ofLightweight protocol for exchange of
information in a decentralized, distributedinformation in a decentralized, distributed
environment“environment“
►Created by Microsoft, DevelopMentor, IBM,Created by Microsoft, DevelopMentor, IBM,
Lotus, and Userland in 1999Lotus, and Userland in 1999
►XML-based protocolXML-based protocol
►Web services transfers XML messages inWeb services transfers XML messages in
SOAP format encapsulated in SOAPSOAP format encapsulated in SOAP
envelopenvelop
7. SOAPSOAP
►SOAP header contains the meta informationSOAP header contains the meta information
and the body contains the actual messageand the body contains the actual message
in XML syntaxin XML syntax
8. WSDLWSDL
► DefinitionDefinition
““An XML format for describing network services as a setAn XML format for describing network services as a set
of endpoints operating on messages containing eitherof endpoints operating on messages containing either
document-oriented or procedure-oriented information“document-oriented or procedure-oriented information“
► Developed by IBM and Microsoft in 2000Developed by IBM and Microsoft in 2000
► Contains information where the service is located,Contains information where the service is located,
what the service does, and how to invoke thewhat the service does, and how to invoke the
serviceservice
► Application can look at the WSDL and dynamicallyApplication can look at the WSDL and dynamically
construct SOAP messagesconstruct SOAP messages
9. Discovering Web ServicesDiscovering Web Services
►How to search desired web service andHow to search desired web service and
communicate with itcommunicate with it
Universal Description, Discovery, andUniversal Description, Discovery, and
Integration (UDDI)Integration (UDDI)
ebXML RegistriesebXML Registries
10. UDDIUDDI
► Introduced by Ariba, Microsoft, and IBM in 2000Introduced by Ariba, Microsoft, and IBM in 2000
► Not yet a standard but implemented by majorNot yet a standard but implemented by major
vendors like Microsoft and IBMvendors like Microsoft and IBM
► Information availableInformation available
white pageswhite pages of company contact information,of company contact information,
yellow pagesyellow pages that categorize businesses by standardthat categorize businesses by standard
categorization, andcategorization, and
green pagesgreen pages that document the technical informationthat document the technical information
about web services, like WSDLabout web services, like WSDL
11. ebXMLebXML
► A standard created by OASIS in 2001A standard created by OASIS in 2001
► Provide a common way for businesses to quicklyProvide a common way for businesses to quickly
and dynamically perform business transactionsand dynamically perform business transactions
based on common business practicesbased on common business practices
► Information availableInformation available
Business processes and components described in XMLBusiness processes and components described in XML
Capabilities of a trading partnerCapabilities of a trading partner
Trading partner agreements between companiesTrading partner agreements between companies
12. Introduction to StateIntroduction to State
►State allows services to be brought downState allows services to be brought down
without loss of contextwithout loss of context
►When they are brought up again, theWhen they are brought up again, the
durable state is still there and they candurable state is still there and they can
continue as if nothing had happenedcontinue as if nothing had happened
13. Need for state managementNeed for state management
► Web services provide stateless client-serverWeb services provide stateless client-server
interactionsinteractions
► Stateless means client requests are independentStateless means client requests are independent
and no memory of previous requests is requiredand no memory of previous requests is required
► State management is difficult to avoid in a numberState management is difficult to avoid in a number
of situationsof situations
► Establish a session between a consumer and aEstablish a session between a consumer and a
provider, for efficiency reasonsprovider, for efficiency reasons
► Sending a security certificate with each request isSending a security certificate with each request is
a serious burden for both consumer and providera serious burden for both consumer and provider
14. State Management TechniquesState Management Techniques
►Require session state information to beRequire session state information to be
explicitly passed, which can be a uniqueexplicitly passed, which can be a unique
identifier of the session like session Ididentifier of the session like session Id
►Session Id can be stored on the client-sideSession Id can be stored on the client-side
►Rest of the data, such as user information,Rest of the data, such as user information,
can be stored on the server-sidecan be stored on the server-side
15. In-MemoryIn-Memory
► Keeps a reference of session in its memoryKeeps a reference of session in its memory
► Works well in a single server environment but notWorks well in a single server environment but not
very useful in a farm or clustervery useful in a farm or cluster
► Session is tied to a single server and is not sharedSession is tied to a single server and is not shared
among servers in the farm, resulting in loss ofamong servers in the farm, resulting in loss of
session informationsession information
► Dedicate a single server to handle all requestsDedicate a single server to handle all requests
from a user for the lifetime of the sessionfrom a user for the lifetime of the session
► Compromise scalability as the distribution of loadCompromise scalability as the distribution of load
among multiple servers is not fairly balancedamong multiple servers is not fairly balanced
16. DatabaseDatabase
►Store session in database server accessibleStore session in database server accessible
to all other servers in the farmto all other servers in the farm
►Each user will be given a unique identifierEach user will be given a unique identifier
that will serve as a key to the user'sthat will serve as a key to the user's
information in the databaseinformation in the database
►Advantage: state information is durableAdvantage: state information is durable
►Disadvantage: puts a greater load on theDisadvantage: puts a greater load on the
server, requires more time-consumingserver, requires more time-consuming
database transactionsdatabase transactions
17. DatabaseDatabase
►Client stores only the unique identifier, otherClient stores only the unique identifier, other
sensitive data is stored in the database,sensitive data is stored in the database,
thus session information is securethus session information is secure
►Always better to put greater load on theAlways better to put greater load on the
server than to risk securityserver than to risk security
18. Generalized ModelGeneralized Model
►Requirements:Requirements:
Token generator generates a unique token orToken generator generates a unique token or
identifier for each client, like GUID or UUIDidentifier for each client, like GUID or UUID
Repository required in which session state canRepository required in which session state can
be storedbe stored
Session initiating and terminating web serviceSession initiating and terminating web service
required like a login/logout web servicesrequired like a login/logout web services
19. Generalized ModelGeneralized Model
► Flow:Flow:
Client calls the login web service to initiate the sessionClient calls the login web service to initiate the session
Server authenticates the clientServer authenticates the client
If authenticated generates a unique tokenIf authenticated generates a unique token
Store session info against that token in repositoryStore session info against that token in repository
Session information can be user id, contact information,Session information can be user id, contact information,
previous requests etc.previous requests etc.
Return that token to the clientReturn that token to the client
Client will then call further web services providing theClient will then call further web services providing the
tokentoken
Finally client will call the logout web service to terminateFinally client will call the logout web service to terminate
the sessionthe session
21. ConclusionConclusion
► It is recommended that web services be designedIt is recommended that web services be designed
according to the principles of a service-orientedaccording to the principles of a service-oriented
architecture.architecture.
► However, it is sometimes desirable to buildHowever, it is sometimes desirable to build
services capable of referencing each other, whichservices capable of referencing each other, which
may lead to a finer-grained, session-orientedmay lead to a finer-grained, session-oriented
services design.services design.
► When building a new service, it is worthWhen building a new service, it is worth
considering carefully the pros and cons of allconsidering carefully the pros and cons of all
design styles, which can result in a betterdesign styles, which can result in a better
integration solution for a targeted domainintegration solution for a targeted domain
Web services are by nature stateless. There are certain situations where state management of resources is difficult to avoid, like user sessions. Another situation is to establish a session between a consumer and a provider. In web services this is normally required when applications like business and ecommerce applications based on user sign on needs to maintain state of clients connected while applications are built on web services which does not provide an implicit state management facility. This study presents the logical model for maintaining state of resources in web services.
Before we can define the means by which Web services manage state, we need to explain a few terms and concepts
“Web services are software applications that can be discovered, described, and accessed based on XML and standard Web protocols over intranets, extranets, and the Internet.”
The definition expresses the main point that web services are software applications like other usual software applications which performs some specific tasks depending on their implementation. The main focus of web services is interoperability. Web services use XML [2] as the syntax of their message and use HTTP [3] to transfer that message. The message is basically a Simple Object Access Protocol (SOAP [4]) envelop which is in XML format.
“a lightweight protocol for exchange of information in a decentralized, distributed environment.”
created by Microsoft, Developmentor, IBM, Lotus, and UserLand.