This book is about SOA security. The focus of the book is neither SOA nor security. Instead, it focuses on the intersection between security and SOA implementations.
SOA, or Service-Oriented Architecture, is a new and popular paradigm of IT. SOA uses services as building blocks to organize and architect the applications in an enterprise. There are several different ways these services can be built, put together, and offered.
Security is a well-understood concept, at least in the context of applications. You secure an application against various threats: network eavesdroppers, users (both internal and external), and other programs. There are various techniques, libraries, packages, and best practices you use to achieve this goal.
In the context of SOA, instead of securing a single application, you should secure the architecture. On one hand, you need to keep the services—the building blocks—open so that applications, both internal and external, can easily reuse them. On the other hand, unless these services are properly secured, they can be misused to cause security breaches. How do we secure services without reducing reusability?
There are additional questions to answer as well. How do we ensure security when services from different providers are brought together to create higher-level services? How can we make management, including changes to the security, cost-effective when a large number of services need to be secured?
This book provides concrete answers to these questions and more. It is intended to be of use to multiple audiences: architects, designers, developers, and IT managers. Its explanation of theoretical underpinnings and concise description of standards is helpful to architects and designers. Through its use of code examples, it provides material for developers to tinker with and learn from and to use in their code. Through its description of enterprise-level SOA security architecture, it helps IT managers to deploy SOA security solutions in practice.
Since this book is meant for a diverse audience, we have divided it into three parts: the basics of SOA, the building blocks of SOA security, and enterprise SOA security.
The first part teaches you the basics of SOA. It is not meant as a comprehensive guide to SOA, but it has enough details for you to follow the rest of the book. We introduce you to some of the best practices, toolkits, and techniques through simple solutions. Developers may find this part useful, even if they are familiar with SOA.
The second part deals with the nuts and bolts of SOA security. We introduce you to each aspect of SOA security: authentication, authorization, nonrepudiation, and so on, in isolation. This part is self-contained and provides the theory as well as the code which illustrates the theory. Developers and designers will benefit from these chapters.
The last part is about building real SOA security solutions using the techniques we built up in the previous parts. We outline several real-life problems and discuss possible frameworks that can solve them. Since these chapters use code developed in earlier chapters, they do not contain listings. This part will be accessible to all readers, even to those without hands-on experience. It will be particularly useful for architects as well as IT managers.
To make most of this book, we expect users to be familiar with the following:
In other technical matters, this book is self-sufficient and self-explantory. We provide all the definitions and explanations needed to understand the material presented in all the chapters.
This book addresses not only different audiences, it also presents a wide range of uses, from casual to complex. Whether you need simple security for just a few services or a framework for all of your enterprise services or to extend a vendor solution, this book has information that you can use to address any of those needs.
If you are a developer of a simple web services-based application, you will benefit from reading parts I and II. You will understand different aspects of security that need to be addressed and will be able to quickly ascertain the appropriate solution and implement it in your application.
If you are developing SOA security frameworks, you will benefit from parts II and III. Since developing such frameworks requires more grounding in SOA than this book provides, we assume that background in these sections.
Not everybody develops security solutions from the ground up. Some may be using security frameworks available with a commercial service bus or application server such as WebLogic or WebSphere. These frameworks can simplify several tasks. For example, some come with full-fledged implementations of authentication frameworks; all you need to do is configure them appropriately.
If you are using such a framework, this book provides valuable theoretical background for practical issues. For example, you will learn the basics of encryption and its limitation. You will learn about digital certificates and their limitations. Framework facilities may reduce the direct applicability of the code in the examples, but the essential lessons remain the same.
In addition, the book fills the gap in the completeness of the solutions provided by the packaged frameworks. This book will help you to figure out whether a packaged framework is good enough for your needs and how to implement the missing functionality.
A new breed of frameworks is evolving into complete SOA security platforms. They provide complete working solutions that only need to be configured to get a full-fledged solution. They often come in the form of an appliance.
However radically different these platforms may be, they still use the open standards illustrated in this book. The example code may not be needed on these platforms, but the understanding of the standards they provide is going to be useful to leverage the platform for solving practical problems.
The following conventions are used throughout the book:
Courier typeface is used in all code listings. Courier typeface is used within text for code words and class and method names. The source code for all the examples in the book can be downloaded from the publisher’s website at http://www.manning.com/kanneganti or http://www.manning.com/SOASecurity. To run the source code, you will need a Windows XP or 2000 machine with 256MB or more of RAM. To download the prerequisites for running the source code, you will need access to the Internet. You will not need access to the Internet in order to run them.
Purchase of SOA Security includes free access to a private web forum run by Manning Publications where you can make comments about the book, ask technical questions, and receive help from the authors and from other users. To access the forum and subscribe to it, point your web browser to http://www.manning.com/kanneganti or http://www.manning.com/SOASecurity. This page provides information on how to get on the forum once you are registered, what kind of help is available, and the rules of conduct on the forum.
Manning’s commitment to our readers is to provide a venue where a meaningful dialogue between individual readers and between readers and the authors can take place. It is not a commitment to any specific amount of participation on the part of the authors, whose contribution to the book’s forum remains voluntary (and unpaid). We suggest you try asking the authors some challenging questions, lest their interest stray!
The Author Online forum and the archives of previous discussions will be accessible from the publisher’s website as long as the book is in print.
The figure on the cover of SOA Security is simply called a “Soldier,” presumably of the Persian Army. The illustration is taken from a collection of costumes of the Ottoman Empire published on January 1, 1802, by William Miller of Old Bond Street, London. The title page is missing from the collection and we have been unable to track it down to date. The book’s table of contents identifies the figures in both English and French, and each illustration bears the names of two artists who worked on it, both of whom would no doubt be surprised to find their art gracing the front cover of a computer programming book...two hundred years later.
The collection was purchased by a Manning editor at an antiquarian flea market in the “Garage” on West 26th Street in Manhattan. The seller was an American based in Ankara, Turkey, and the transaction took place just as he was packing up his stand for the day. The Manning editor did not have on his person the substantial amount of cash that was required for the purchase, and a credit card and check were both politely turned down. With the seller flying back to Ankara that evening the situation was getting hopeless. What was the solution? It turned out to be nothing more than an old-fashioned verbal agreement sealed with a handshake. The seller simply proposed that the money be transferred to him by wire and the editor walked out with the bank information on a piece of paper and the portfolio of images under his arm. Needless to say, we transferred the funds the next day, and we remain grateful and impressed by this unknown person’s trust in one of us. It recalls something that might have happened a long time ago.
The pictures from the Ottoman collection, like the other illustrations that appear on our covers, bring to life the richness and variety of dress customs of two centuries ago. They recall the sense of isolation and distance of that period—and of every other historic period except our own hyperkinetic present.
Dress codes have changed since then and the diversity by region, so rich at the time, has faded away. It is now often hard to tell the inhabitant of one continent from another. Perhaps, trying to view it optimistically, we have traded a cultural and visual diversity for a more varied personal life. Or a more varied and interesting intellectual and technical life.
We at Manning celebrate the inventiveness, the initiative, and, yes, the fun of the computer business with book covers based on the rich diversity of regional life of two centuries ago—brought back to life by the pictures from this collection.
