Web Service Standards, Security & Management Chris Peiris www. Chris. Peiris. com 11 Oct 2006 © Chris. Peiris. com
Agenda n Web Services Standards ¡ ¡ n n n OASIS WS-I Web Service Security Web Service Management Future Enterprise SOA trends ¡ 11 Oct 2006 Web 2. 0, Ajax, Saa. S © Chris. Peiris. com 2
Where are we heading? 11 Oct 2006 © Chris. Peiris. com 3
Web Services Standards n n SOA Demo 1 – Real World SOA Many Vendors ¡ ¡ n n IBM SUN Microsoft BEA etc. . How do they communicate with each other? Standards!! 11 Oct 2006 © Chris. Peiris. com 4
Web Services Standards n Tale of “many vendors” ¡ n n n Do “it our way” – or else we can not assist you! IBM, Sun & Microsoft was instrumental in creating the first drafts. Who owns the standards? OASIS - Organization for the Advancement of Structured Information Standards. 11 Oct 2006 © Chris. Peiris. com 5
OASIS n n OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML). OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards. 11 Oct 2006 © Chris. Peiris. com 6
Implementing OASIS standards n What does the OASIS standards try to address? ¡ ¡ ¡ n Interoperability Common methodology Increase efficiency Is there a specialized body that’s taken the responsibility of implementing these OASIS standards? 11 Oct 2006 © Chris. Peiris. com 7
WS-I n n n WS-I Interoperability The Web Services-Interoperability Organization (WS-I) is an open, industry organization-chartered to promote Web services interoperability across platforms, operating systems, and programming languages. WS- Basic Profile ¡ 11 Oct 2006 http: //www. ws-i. org/Profiles/Basic. Profile-1. 02004 -04 -16. html © Chris. Peiris. com 8
WS-I Basic Profile n The WS-I Basic Profile defines an interoperable subset of the core Web services specifications, including XML Schema, ¡ ¡ ¡ n SOAP 1. 1 WSDL 1. 1 UDDI 2. 0, by specifying refinements, interpretations, and clarifications of these specifications. 11 Oct 2006 © Chris. Peiris. com 9
Basic Profile Specifications n n n n Simple Object Access Protocol (SOAP) 1. 1. Extensible Markup Language (XML) 1. 0 (Second Edition). RFC 2616: Hypertext Transfer Protocol -- HTTP/1. 1. RFC 2965: HTTP State Management Mechanism. Web Services Description Language (WSDL) 1. 1. XML Schema Part 1: Structures. XML Schema Part 2: Datatypes. The UDDI Version 2. 04 API Published Specification, Dated 19 July 2002. UDDI Version 2. 03 Data Structure Reference, Published Specification, Dated 19 July 2002. Version 2. 0 UDDI XML Schema 2001. UDDI Version 2. 03 Replication Specification, Published Specification, Dated 19 July 2002. Version 2. 03 Replication XML Schema 2001. UDDI Version 2. 03 XML Custody Schema. UDDI Version 2. 01 Operator's Specification, Published Specification, Dated 19 July 2002 11 Oct 2006 © Chris. Peiris. com 10
Web Service Specifications n Web services specifications compose together to provide interoperable protocols for Security, Reliable Messaging, and Transactions in loosely coupled systems. The specifications build on top of the core XML and SOAP standards 11 Oct 2006 © Chris. Peiris. com . 11
Messaging Specifications SOAP WS-Addressing MTOM (Attachments) WS-Eventing WS-Transfer SOAP-over-UDP SOAP 1. 1 Binding for MTOM 1. 0 11 Oct 2006 © Chris. Peiris. com 12
Agenda n Web Services Standards ¡ ¡ n n n OASIS WS-I Web Service Security Web Service Management Future Enterprise SOA trends ¡ 11 Oct 2006 Web 2. 0, Ajax, Saa. S © Chris. Peiris. com 13
Security Specifications WS-Security: SOAP Message Security WS-Security: Username. Token Profile WS-Security: X. 509 Certificate Token Profile WS-Secure. Conversation WS-Security. Policy WS-Trust WS-Federation WS-Security: Kerberos Binding Web Single Sign-On Interoperability Profile 11 Oct 2006 © Chris. Peiris. com 14
Web Services Security n n OASIS Standard 1. 1 The following documents make up the WSSecurity 1. 1 OASIS standard. . ¡ ¡ ¡ ¡ 11 Oct 2006 WS-Security Core Specification 1. 1 Username Token Profile 1. 1 X. 509 Token Profile 1. 1 SAML Token profile 1. 1 Kerberos Token Profile 1. 1 Rights Expression Language (REL) Token Profile 1. 1 SOAP with Attachments (SWA) Profile 1. 1 © Chris. Peiris. com 15
What do they solve? n n n Authentication Authorization Non – repudiation ¡ n Data Integrity ¡ n Digital Signatures & Sign messages Hashing How do they implement it? ¡ Using Token n 11 Oct 2006 Multiple Implementations : SAML, Kerberos, Certificates Custom tokens Certificates are issued by ‘trusted’ vendors – RSA, Verisign Kerberos token are used by Windows Operating System manage user credentials © Chris. Peiris. com 16
Vendor Implementation of WS Security n Microsoft ¡ ¡ n n n Web Services Enhancements Windows Communication Framework IBM – Soap Extensions to Web Sphere BEA Sun Java Every major vendor has implemented WS Security to their programming stack Demo 2 – Microsoft WS Security Implementation using WSE However, what is the standard way to exchange these WS Security information programmatically? Is there a preferable markup language that we can use? 11 Oct 2006 © Chris. Peiris. com 17
What is SAML? n Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization ¡ • Assertions: n n ¡ ¡ ¡ n Declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item). Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP. Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems. Implemented as tokens 11 Oct 2006 © Chris. Peiris. com 18
WS Federation n Federated Security Model 11 Oct 2006 © Chris. Peiris. com 19
Advantages of Federated Security Model n n The flexibility of proving one set of credentials to a user (i. e. Certificate by the client) and converting it to another set of credentials (i. e. SAML token) can be utilized in many scenarios to add value to the customers. We also have the flexibility of altering our internal (i. e. The client can provide username password pair to replace the certificate) but our external implementation of the claims will not be changed. (i. e. The broker will still create the same SAML token with the username password pair). 11 Oct 2006 © Chris. Peiris. com 20
More Specifications n n Reliable Messaging Specifications WS-Reliable. Messaging Transaction Specifications WS-Coordination WS-Atomic. Transaction WS-Business. Activity 11 Oct 2006 © Chris. Peiris. com 21
Agenda n Web Services Standards ¡ ¡ n n n OASIS WS-I Web Service Security Web Service Management Future Enterprise SOA trends ¡ 11 Oct 2006 Web 2. 0, Ajax, Saa. S © Chris. Peiris. com 22
Web Services Management n n n “Web services enables heterogeneous software environment to share data to facilitate business needs. They support open standards (XML, SOAP, WSDL, UDDI) that will enable a "common communication platform" between distributed business partners. Web services can be built on many software platforms. (Microsoft, Java, IBM). All implementations focus on the "creation" and the "consumption" of web services. However, the concept of "managing the web service" is not explored in detail. 11 Oct 2006 © Chris. Peiris. com 23
Web Service Management n Is there a framework to provide guidance to manage web services architecture? ¡ n n Demo 3 Is there a unified set of principals that can be used with heterogeneous technologies to manage web services on multiple software platforms? Will WS-Management answer these questions? Can an agent framework be utilized to mange web services features – for example ‘security’? ” 11 Oct 2006 © Chris. Peiris. com 24
Web Service Management Specifications n n n Management Specifications WS-Management Catalog Business Process Specifications BPEL 4 WS (Business Process Execution Language for Web Services Specification) Demo 4 – Managing SOA apps 11 Oct 2006 © Chris. Peiris. com 25
Agenda n Web Services Standards ¡ ¡ n n n OASIS WS-I Web Service Security Web Service Management Future Enterprise SOA trends ¡ Web 2. 0, Ajax, Saa. S 11 Oct 2006 © Chris. Peiris. com 26
Future SOA Trends n Rich UI Platforms / Smart Clients ¡ n Web 2. 0 ¡ n Ajax / Atlas Demo 5 Saas (Software as a Service) ¡ Not a product – but a service! n n Why – more allocation of cost / more control over cost centers Infrastructure as a Service ¡ 11 Oct 2006 Demo 6 © Chris. Peiris. com 27
Скачать презентацию Web Service Standards Security Management Chris Peiris
5693b1eca7c8838ef34013464d9f1ce5.ppt