1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service...
-
Upload
laurence-mathews -
Category
Documents
-
view
220 -
download
4
Transcript of 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service...
![Page 1: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/1.jpg)
1
Web Service and Security
Lilly Wang
![Page 2: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/2.jpg)
2
Agenda
Brief introduction to web service Web service security Wireless web service
![Page 3: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/3.jpg)
3
Software Evolution
Main frame based Two-Tier Client Server Web-based N-tier Client Server Web centric highly distributed system
![Page 4: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/4.jpg)
4
Web Service Basics
![Page 5: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/5.jpg)
5
What is web service?
Self contained Self described (WSDL) Interoperable standard interfaces Dynamically discovered (UDDI)
![Page 6: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/6.jpg)
6
Web Service Characteristics
Openly accessible over Internet Use XML messages for communication Loosely-coupled architecture Involve one or more intermediaries Heterogeneous in implementation technologies
![Page 7: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/7.jpg)
7
Business Point of View
Requestor
Registry
Provider
find
bind
publish
![Page 8: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/8.jpg)
8
Developer’s Point of View
How to achieve interoperability How to transport data How to achieve high performance
Web service can be any piece of software that makes itself available over the Internet using standardized web service messaging system and interface
![Page 9: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/9.jpg)
9
Architecture
Requestor
Registry
Provider
WSDL
SOAP
WSDL
UDDI
![Page 10: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/10.jpg)
10
SOAP Simple Object Access Protocol Original used for RPC High-level protocol that defines only the
message structure and a few simple rules for message processing
Data packed inside SOAP message for transporting over the network
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
![Page 11: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/11.jpg)
11
WSDL
Web Service Description Language Service description component A specification for describing a service
provided or searching http://www.w3.org/TR/2001/NOTE-
wsdl-20010315
![Page 12: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/12.jpg)
12
UDDI Universal Description Discovery
Integration A technical spec for business registry Data stored in standardized XML format APIs for searching UDDI Business Registry is a fully
operational implementation of the UDDI spec
http://www.oreillynet.com/lpt/a//webservices/2002/02/12/webservicefaqs.html
![Page 13: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/13.jpg)
13
Types of Web services
Remote Procedure Call (RPC) type
Call parameters and return values are serialized in SOAP messages. Data types are supported by XML schema.
Document messaging (DOC) type Operate in asynchronous mode. Similar to
mailing lists robots. Good for mobile.
![Page 14: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/14.jpg)
14
Web Service Security
![Page 15: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/15.jpg)
15
Security Basics
Authentication Access Control Authorization Data Integrity Non-repudiation
![Page 16: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/16.jpg)
16
Basic Security Mechanism
Symmetric/Asymmetric Key Encryption Message Digest Message Authentication Codes (MAC) Digital Signature Digital Certificate
![Page 17: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/17.jpg)
17
Web Service Security
Technologies X.509 Certificate (RFC 2585) SSL/TLS (RFC 2246) Kerberos Tickets (RFC 1510) XML Signature (http://www.xml.com/pub/a/2001/08/08/xmldsig.html) XML Encryption (http://www.aleksey.com/xmlsec/) XML-based security token (SAML format ) (http://www.aleksey.com/xmlsc/)
![Page 18: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/18.jpg)
18
Web Service Security Challenges
SOAP messages can be sent using different transport applications or protocols
There could be legitimate intermediaries that might need to access a part or whole of SOAP messages
![Page 19: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/19.jpg)
19
Point-to-Point Security
Requester Intermediary Web Service
Security Context
Security Context
![Page 20: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/20.jpg)
20
End-to-End Security
Requester Intermediary Web Service
Security Context
![Page 21: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/21.jpg)
21
Proposed Security Specification
Initial Specifications WS-Security WS-Policy WS-Trust WS-Privacy
Follow-on Specifications
WS-SecureConversation WS-Federation WS-Authorization
![Page 22: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/22.jpg)
22
WS-Security is the foundation for all of the other
specs provides end-to-end message-level
security for SOAP messages defines a SOAP Header element to
carry security-related data SecurityToken defined under
<Security> tag, containing <UsenameToken> and <BinarySecurityToken>
![Page 23: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/23.jpg)
23
WS-Security
Message integrity is provided by XML Signature and security tokens
Message confidentiality is provided by XML Encryption with security tokens
![Page 24: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/24.jpg)
24
WS-Security
![Page 25: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/25.jpg)
25
WS-Policy
<SecurityToken> - what type, which issuer
<Integrity> - options for digital signature
<Confidentiality> - options for encryption algorithm
<Visibility> - Which portion of the message must be unencrypted
Specify how senders and receivers agree on the security requirements
and capabilities
![Page 26: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/26.jpg)
26
WS-Trust
Defines a way to use SOAP to talk to a KDC, CA or any other security token service center
Use <RequestSecurityToken> and <RequestSecurityTokenResponse> elements
The model for establishing both direct and brokered trust relationship
![Page 27: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/27.jpg)
27
WS-Privacy – defines the privacy policies, such as ACL and delegation
WS-SecureConversation – defines XML types and interactions that allows a the establishment of a security context and the creation of keys that are specific to that context
![Page 28: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/28.jpg)
28
WS-Federation – defines how to construct federated trust among different securitytoken service centers
WS-Authorization – describes how access policies for a web service are specified and managed
![Page 29: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/29.jpg)
29
Where are we now ?
![Page 30: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/30.jpg)
30
Wireless Web Service
![Page 31: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/31.jpg)
31
SOAP
Light-weighted protocol
Exchange structured information in a decentralized, distributed environment
Use XML as message framework
Interoperable among different system
![Page 32: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/32.jpg)
32
SOAP
![Page 33: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/33.jpg)
33
Why SOAP ?
Provide rich data types (more than 40)
Support various messaging schemes
Bind with other protocols/standards
![Page 34: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/34.jpg)
34
Java APIs for XML
Document-oriented• JAXP • JAXB
Procedure-oriented• JAX-RPC • JAXM • JAXR
![Page 35: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/35.jpg)
35
JAXP Java APIs for XML Processing XML Parser Support XSLT Include
SAX Parser (event-based parser) DOM Parser (tree-based)
![Page 36: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/36.jpg)
36
JAXB Java Architecture for XML Binding Provide mapping between XML documents
and Java objects Based on XML Schema/DTD to build Java
Object
![Page 37: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/37.jpg)
37
JAXP vs JAXBUse JAXB when
• Access data in memory, but do not need tree manipulation capabilities
• Process only data that is valid
• Convert data to different types
• Generate classes based on a DTD
• Build object representations of XML data.
![Page 38: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/38.jpg)
38
JAXP vs JAXBUse JAXP when
• Have flexibility with regard to the way you access the data: either serially with SAX or randomly in memory with DOM
• Use your same processing code with documents based on different DTDs
• Parse documents that are not necessarily valid
• Apply XSLT transforms
• Insert or remove objects from an object tree that represents XML data
![Page 39: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/39.jpg)
39
JAXM Java API for XML Messaging SAAJ (SOAP with Attachments API for Java) 1.1 is the
javax.xml.soap package for creating SOAP messages, adding message content, and extracting message content.
JAXM 1.1 is the javax.xml.messaging package for using a messaging provider and to send one-way messages. It is always used in conjunction with the SAAJ 1.1 API.
![Page 40: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/40.jpg)
40
JAXR JavaTM API for XML Registries provides a convenient way to access standard
business registries over the Internet.
![Page 41: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/41.jpg)
41
JAX-RPC Java™ API for XML-based RPC Is a collection of procedures that can
be called by a remote client over the Internet
Supports SOAP 1.2 and WSDL
![Page 42: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/42.jpg)
42
What you need for J2ME Web Service ?
Server Side Apache Axis ( for SOAP parsing) Web Service tool kit ( e.e WSDK)
Client Side kSOAP / JSR 172
Wireless Toolkit
![Page 43: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/43.jpg)
43
kSOAP
A parser based on kXML kSOAP 1.2 supports SOAP 1.2
![Page 44: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/44.jpg)
44
JSR 172
Provide subset of JAXP Provide subset of JAX-RPC Will be released on summer, 2003
![Page 45: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/45.jpg)
45
Wireless Web Service Security ?
Just start Simple XML digital
signature can be done Need to use third-party
APIs
![Page 46: 1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service.](https://reader030.fdocuments.us/reader030/viewer/2022032415/56649f0d5503460f94c20964/html5/thumbnails/46.jpg)
46
Reference
[1] http://www.javaworld.com/javaworld/jw-08-2002/jw-0823-wireless.html
[2]http://www106.ibm.com/developerworks/webservices/library/ws-sec1.html?dwzone=webservices
[3]http://www106.ibm.com/developerworks/webservices/library
ws-secroad/?dwzone=webservices[4] http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnwssecur/html/securitywhitepaper.asp