SOA Security
Ramarao Kanneganti and Prasad A. Chodavarapu
  • December 2007
  • ISBN 9781932394689
  • 512 pages
  • printed in black & white

All the security your SOA needs.

Patrick Steger, Software Architect and Security Engineer, Z├╝hlke Engineering AG

Anyone seeking to implement SOA Security is forced to dig through a maze of inter-dependent specifications and API docs that assume a lot of prior security knowledge on the part of readers. Getting started on a project is proving to be a huge challenge to practitioners. SOA Security seeks to change that. It provides a bottom-up understanding of security techniques appropriate for use in SOA without assuming any prior familiarity with security topics.

Table of Contents detailed table of contents

preface

acknowledgments

about this book

Part I SOA basics

1. SOA requires new approaches to security

1.1. SOA lowers long-standing barriers

1.1.1. Basic tenets of SOA

1.1.2. Idea of a service

1.2. Lowering of barriers forces us to rethink security

1.3. Functional aspects of security: With and without SOA

1.3.1. Authentication

1.3.2. Authorization

1.3.3. Data confidentiality

1.3.4. Data integrity and nonrepudiation

1.3.5. Protection against attacks

1.3.6. Privacy protection

1.4. Nonfunctional aspects of security

1.4.1. Interoperability

1.4.2. Manageability

1.4.3. Ease of development

1.5. New security approaches for SOA

1.5.1. Message-level security

1.5.2. Security as a service

1.5.3. Policy-driven security

1.6. Current SOA security implementation choices

1.7. Summary

Suggestions for further reading

2. Getting started with web services

2.1. Setting up tools and environment

2.1.1. Choosing a platform and a toolkit

2.1.2. Getting started with Apache Axis

2.2. XML basics

2.2.1. XML data format

2.2.2. XML namespaces

2.2.3. XML schema

2.2.4. Processing XML

2.2.5. XPath

2.3. SOAP basics

2.3.1. SOAP message exchange model

2.3.2. Anatomy of a SOAP message

2.3.3. RPC with SOAP

2.3.4. Document exchange with SOAP

2.3.5. SOAP Fault

2.4. WSDL basics

2.4.1. Describing a service with WSDL

2.4.2. Understanding ports and port types

2.4.3. Understanding bindings

2.5. Web services in action with Apache Axis

2.5.1. Creating a web service

2.5.2. Consuming a web service

2.5.3. Using a web service from .NET

2.6. Choices in service design

2.6.1. Wrap existing interfaces or design from scratch?

2.6.2. To use SOAP or not?

2.6.3. Start with WSDL or generate it?

2.6.4. Should security context be part of the interface?

2.6.5. RPC or document exchange?

2.8. Summary

Suggestions for further reading

3. Extending SOAP for security

3.1. Finding the right approach for security in SOAP

3.1.1. Lessons from web authentication schemes

3.1.2. Authentication at the HTTP layer

3.1.3. Choices for security implementation in SOAP

3.2. Extending SOAP with headers

3.2.1. Anatomy of a SOAP header

3.2.2. Standard header entry attributes

3.3. WS-Security: The standard extension for security

3.3.1. Introduction to WS-Security

3.3.2. Example: Identifying a brokerage service user

3.4. Processing SOAP extensions using handlers

3.4.1. How handlers work

3.4.2. Outline of the solution

3.4.3. Implementing a server-side JAX-RPC handler

3.4.4. Implementing a client-side JAX-RPC handler

3.4.5. Handler chains

3.4.6. Configuring handlers and handler chains

3.5. Processing SOAP extensions using intermediaries

3.5.1. Preserving the endpoint information: WS-Addressing

3.5.2. SOAP processing rules for intermediaries

3.6. SOAP Extensions FAQ

3.6.1. What should go into the headers?

3.6.2. How do we standardize on headers?

3.6.3. How many handlers?

3.6.4. How do we support handlers?

3.7. Summary

Suggestions for further reading

Part II Building blocks of SOA security

4. Claiming and verifying identity with passwords

4.1. Authentication with username and password

4.1.1. Example: Username and password in WS-Security

4.1.2. Implementing username/password scheme: client-side

4.1.3. JAAS: A generic framework for authentication

4.1.4. Implementing username/password scheme: server-side validation

4.2. Using password digest for authentication

4.2.1. How password digest authentication works

4.2.2. Password digest authentication in action

4.2.3. Implementing password digests: client-side

4.2.4. Implementing password digests: server-side validation

4.3. Is password authentication the right solution for you?

4.3.1. Why is the digest scheme secure?

4.3.2. Problems with digest authentication

4.3.3. Limitations of password-based schemes

4.4. Summary

Suggestions for further reading

5. Secure authentication with Kerberos

5.1. Authentication requirements in SOA

5.2. Introduction to Kerberos

5.2.1. Basic ideas behind Kerberos

5.2.2. Authentication sequence

5.2.3. Beyond client authentication

5.2.4. Roadmap for the rest of the chapter

5.3. Implementing Kerberos with JAAS and GSS APIs

5.3.1. Client-side implementation

5.3.2. Service-side implementation

5.4. Using Kerberos with WS-Security

5.4.1. Running the Kerberos example

5.4.2. Adding a Kerberos ticket to a WS-Security header

5.4.3. Using a Kerberos ticket for authentication

5.4.4. Adding a Kerberos ticket on the client-side

5.4.5. Processing a Kerberos ticket on the service-side

5.5. What authentication scheme to use?

5.6. Summary

Suggestions for further reading

6. Protecting confidentiality of messages using encryption

6.1. Encryption in action: an example

6.2. The basics of encryption

6.2.1. Types of encryption algorithms

6.2.2. PKI: A framework for encryption

6.3. Programming with digital certificates

6.3.1. Creating digital certificates

6.3.2. Point to point encryption with digital certificates (SSL/TLS)

6.3.3. Java APIs for encryption

6.4. Encrypting SOAP messages

6.4.1. Example: Sending user credentials with selective encryption

6.4.2. Encrypting-side implementation

6.4.3. Decrypting-side implementation

6.5. Practical issues with encryption

6.6. Summary

Suggestions for further reading

7. Using digital signatures

7.1. The basics of XML signatures

7.1.1. Challenges in signing XML

7.1.2. XML canonicalization

7.2. Signing SOAP messages

7.2.1. Example: Signing order creation request

7.2.2. Sender-side implementation

7.2.3. Receiver-side implementation

7.3. Practical issues with signatures

7.3.1. Three rules of signatures

7.3.2. Mixing encryption and signatures

7.3.3. Which canonicalization scheme?

7.4. Summary

Suggestions for further reading

Part III Enterprise SOA security

8. Implementing security as a service

8.1. Security as a service

8.1.1. Is a security service technically feasible?

8.1.2. Standards for implementing security as a service

8.2. Analyzing possible uses of a security service

8.2.1. Use case 1: Destination endpoint invokes security service out-of-band

8.2.2. Use case 2: Source endpoint invokes security service out-of-band

8.2.3. Use case 3: Both endpoints invoke security service out-of-band

8.2.4. Use case 4: Security service as an explicit intermediary

8.2.5. Use case 5: Security service as an implicit intermediary

8.3. Conveying the findings of a security service: SAML

8.3.1. SAML assertion basics

8.3.2. AuthenticationStatement: Asserting authentication results

8.3.3. AttributeStatement: Asserting user attributes

8.3.4. AuthorizationDecisionStatement: Asserting authorization decisions

8.4. Example implementation using OpenSAML

8.4.1. Client-side implementation

8.4.2. Security service implementation

8.4.3. Server-side implementation

8.5. Standards for security service interfaces

8.5.1. WS-Trust

8.5.2. SAML protocol

8.6. Summary

Suggestions for further reading

9. Codifying security policies

9.1. Introducing declarative security

9.1.1. Policy consolidation for planning and consistent enforcement

9.1.2. Use at design time to ensure interoperability

9.1.3. Use at runtime to ensure interoperability

9.2. Interoperability challenges in SOA security

9.2.1. Sources of incompatibility

9.2.2. WS-I basic security profile

9.3. Web services policy framework

9.3.1. What is a policy?

9.3.2. WS-Policy

9.3.3. Standards for fetching policy: WS-MetadataExchange and WS-PolicyAttachment

9.4. WS-SecurityPolicy

9.4.1. Security assertions for endpoints

9.4.2. Security assertions for messages

9.4.3. Security assertions for operations

9.4.4. Limitations of WS-SecurityPolicy

9.5. Summary

Suggestions for further reading

10. Designing SOA security for a real-world enterprise

10.1. Meeting the demands of enterprise IT environments

10.1.1. Large and diverse user base

10.1.2. Long life cycle

10.1.3. Robustness

10.1.4. Manageability

10.1.5. Integration with diverse legacy applications

10.2. Securing diverse services

10.2.1. Services developed from scratch

10.2.2. Services wrapping legacy applications

10.2.3. Services composed of other services

10.3. Choosing a deployment architecture

10.3.1. For securing services in the intranet

10.3.2. For securing services offered to the public

10.3.3. For securing services offered to/by partners

10.4. Making the solution industrial-strength

10.4.1. Performance

10.4.2. Scalability

10.4.3. Availability

10.5. Vulnerability management

10.5.1. Common vulnerabilities

10.5.2. XML-specific vulnerabilities

10.5.3. Vulnerability remediation workflow

10.6. Summary

Suggestions for further reading

Appendix A: Limitations of Apache Axis

Appendix B: WS-SecureConversation

Appendix C: Attaching and securing binary data in SOAP

Appendix D: Securing SAML assertions

Appendix E: Application-Oriented Networking (AON)

index

About the book

Unlike most other books about SOA that merely describe the standards, this book helps readers learn through action, by walking them through sample code that illustrates how real life problems can be solved using the techniques and best practices described in the standards. It simplifies things: where standards usually discuss many possible variations of each security technique, this book focuses on the 20% of variations that are used 80% of the time. This keeps the material covered useful for all readers except the most advanced.

What's inside

  • Why SOA Security is different from ordinary computer security, with real life examples from popular domains such as finance, logistics, and Government
  • How things work with open source tools and code examples as well as proprietary tools.
  • How to implement and architect security in enterprises that use SOA. Covers WS-Security, XML Encryption, XML Signatures, and SAML.

About the author

Dr. Ramarao (Rama) Kanneganti is Chief Technology Officer (CTO) at HCL EAI Services. Rama has a Ph.D. in programming languages from Rice University, and worked at Bell Labs in databases and large programming systems. Currently, he advises enterprise clients in formulating and evaluating SOA strategies. Rama works out of Grosse Pointe Woods (near Detroit), Michigan.

Prasad A. Chodavarapu is General Manager (Technology) at HCL EAI Services, Bangalore, India. Prasad leads service teams designing and deploying integration solutions at enterprises world-wide. Prasad’s current focus is on the use of application-oriented networking technologies to implement and secure SOA.


combo $59.99 pBook + eBook
eBook $47.99 pdf + ePub + kindle

FREE domestic shipping on three or more pBooks