Web Services Security

Authors: Mark O’Neill with Phillip Hallam-Baker, Sean Mac Cann, Mike Shema, Ed Simon, Paul A. Watters and Andrew White
Pages: 312
Publisher: McGraw-Hill Professional
ISBN: 0072224711


Web Services are appearing and dominate as new application solutions. At the same time they present great challenges for security. This book describes a union of Web Services and information security. Several technologies are presented (i.e. XML Signature, XML Encryption, SAML…), and then related to Web Services so that the reader can get the whole picture.

About the authors

Mark O’Neill, Chief Technical Officer at Vordel, oversees the development of Vordel’s technical strategy and product development in the areas of XML and security. He is also an advisor to the XML.org industry newsletter.

Dr. Phillip Hallam-Baker is a leading contributor to numerous XML and Web Services security standards including XKMS (Editor), SAML (co-Editor), WS-Security (co-Editor), XML Signature, and XML Encryption.

Se??n Mac Cann is a commercial lawyer from Co. Tyrone, Ireland. He works mostly with technology start-ups.

Mike Shema is a security consultant and trainer for Foundstone. He has preformed dozens of security reviews for clients in the financial, telecommunications, software, and e-commerce industries.

Ed Simon has been an ardent advocate and implementer of XML since 1997 and is co-author of both the XML Signature and XML Encryption specifications.

Paul A. Watters received his Ph.D. in computer science from Macquarie University. His research areas include virtual enterprises, secure distributed storage, and complex systems.

Andrew White is Chief Security Architect at Vordel. For the past ten years, he’s been working in the information security field.

Inside the book

The book consists of five parts and each of them is dedicated to one topic. The first part is, as expected, entitled Introduction. The authors present web services, security, and some new challenges as well as new threats. As an introduction to Web Services Security they define web services as applications that can be described, published, located, and invoked over a network. Here you find an introduction to XML as a quite verbose language.

Speaking about security, some building blocks of security are presented: confidentiality, authentication, authorization, integrity, non-repudiation, privacy, and availability.

The challenges presented are: the challenge of security based on the end user of a web service; the challenge of maintaining security while routing between multiple web services and the challenge of abstracting security from the underlying network. While reading one practical example you can create a simple web service. What about the threats? Well, some old threats are still current, such as buffer overflows, and attempts to exploit other programming errors, but the new one is avenue of attack SOAP. Some categories of attacks are included: SQL attacks, directory traversal attacks and URL string attacks. Also, here you find the role of firewalls for web services because it’s important to ensure that the firewall rules are synchronized with web services.

The second part is dedicated to XML Security and it’s divided into five chapters. In the first one, the authors are making sense of XML signature. Enveloped, enveloping, and detached XML signatures are described with some samples. Also, it’s understandable how XML signature allows multiple documents to be signed. The authors present uses of XML signature for web services security through persistent integrity, non-repudiation, and authentication, including replay attacks. And, most important in this chapter, you can find how an XML signature is created and validated.

The following chapter explains what XML encryption is and what it isn’t. First, you get an introduction to XML encryption followed by encryption scenarios: encrypting an XML element and its contents, encrypting the content of an XML element, and encrypting arbitrary data (including XML). Next, the steps involved in encrypting data are brougth forth. Finally, the authors bring some code examples through the encryption process using Java classes provided by the XML security suite.

Next comes the SAML chapter which brings you closer to SAML and how does it enable portable trust authentication. Because SAML enables portable trust by supporting the assertion of authentication of single principals between different domains, this chapter introduces three types of assertions: authentication assertion, authorization decision assertion, and attribute assertion with explanation of these concepts. Also, you find SAML architecture through two actions: the policy decision point (PDP) and the policy enforcement point (PEP).

In the chapter entitled XACML, the authors define rules to allow access to resources based on characteristics of the requester, characteristics of the request protocol, and the authentication context. In order to understand XACML, the authors describe two basic access control models: access control lists (ACL) and role-based access control (RBAC). When this is assimilated, you can read definition of a rule in XACML: “A target, an effect, and a set of conditions”. Each concept is described till the specific meanings, and also presented by example rule. Beside rules, an important aspect is a “policy” in XACML. A policy is sketched by content included into it. For getting a better picture the XACML architectural diagram is depicted here. The whole story about XACML ends with security considerations when using XACML. You can see how cryptography may be used to protect the integrity and confidentiality.

What follows is a XKMS dedicated chapter. XKMS is a web service that supports management of public keys. Commonly cited PKI are given, and also five easy points which are needed to understand XKMS and PKI. Some time is spend to describe the advantages of PKI such as reduced client complexity, and easy of coding. Beside that, you can read about the key binding association which is a new PKI credential; about the XKMS protocol; about services that are supported by each protocol, first, the X-KISS protocol with services: locate and validate, both presented with some examples, and 2nd, X-KRSS protocol with services: register, recover, reissue, and revoke.

Part three of the book brings you closer to WS-Security. If you didn’t hear about the WS-security in 2001, when it was initially released, you can now read about it. The bases of this chapter are IBM and Microsoft WS-security specifications. By watching their stack of specification you see dependence of SOAP, WS-security, WS-policy, WS-trust, WS-privacy, WS-SecureConversation, WS-federation, and WS-authorization. Furthermore, you will find XML elements and attributes which are defined by the WS-security specifications. There are a number of errors that can occur when SOAP message formatted using WS-security is processed, so, you will find the error handling part very interesting.

Part four is taking up with security in web services frameworks. There are three chapters included. The first one is dedicated to Microsoft technologies in the Web Services arena. You can take a look at the Kerberos protocol whose scale is to protect users’ credentials and passport technology as a single sing-on implementation that facilitates user’s interaction among authentication-based applications. The authors also offer an introduction to the Liberty Alliance Project (a.k.a. Liberty). If you are asking yourself where is the connection between Liberty and web services, than you’ll have to read this chapter. You’ll find some terms you have to remember, some examples, and closing words – liberty tomorrow.

Although UDDI and security are not often mentioned together, here, in this chapter you find an UDDI overview, securing transactions with the UDDI services, and explanation of the UDDI roles: publisher, inquirers, and subscribers. After reading this chapter you will know the six types of data which are permitted in a UDDI registry, what are the attributes of explained elements, and how subscribers are authenticated.

The last part of the book brings up ebXML (electronic business XML) but not as web services technology. In the ebXML security overview, you find that it’s conceived and designed with security in mind. Four major areas of ebXML are discussed: business processes, collaboration protocol profile and agreement, message services, and registry information and services. The authors also discuss the security considerations in the ebXML registry over the standards’ requirements.

The next subject is legal considerations. In this chapter the role of contract law in online security is described. You will learn what contract is, a legislative definition of an electronic signature, and, most interesting, which legal component maps to the right security component. Each of the components is detailed.

The appendix contains case studies: local government service portal, foreign exchange transactions, and XML gateway rollout. For each of them the security factors are identified and the security measures are sketched.

At the end

First of all, it is important to understand that Web Services security cannot rely on web security. Web Services does not rely on HTTP. “Services” is a services-oriented architecture (SOA).

I definitely agree with authors who have written that the intended audiences of this book are programmers and architects in charge of deploying Web Services. This is a specific area of security, so you must have some previous knowledge of mentioned technologies. If you plan to get into this publication, you will certainly find it very interesting and docile.

Don't miss