 |
| Mastering Web Services Security |
Konstantine Beznosov, Shirley Kawamoto
“A much needed source for those building secure, next generation Web Services.”
Michael Howard
Senior Program Manager, Security Engineering, Microsoft Corp.
“Without strong security, Web Services will, in the end, have but little impact on business.
Mastering Web Services Security provides important practical guidance and theory
for building secure services now and preparing for future secure Web Services standards.”
Randy Heffner
VP & Research Leader, Giga Information Group
“The authors manage to cover an impressive collection of WS security topics in a nononsense,
how-to style, while zeroing in on important techniques and critical points
with specific source code examples and diagrams.”
Max Levchin
co-founder, PayPal, Inc
“Bret Hartman and his fellow authors have set the standard for Web Services security
books with Mastering Web Services Security. Their coverage is both broad and deep, discussing
the range of security issues facing companies who are implementing Web Services,
while delving into the difficult details of cryptography and application security
infrastructures in a clear, understandable manner. Their balanced coverage of security
on both the .NET and J2EE platforms is especially valuable, especially considering the
solid chapters on interoperability, security administration, and building secure Web
Services architectures. I recommend this book for all IT managers, architects, and
enterprise security professionals who need a real understanding of how to build and
manage secure Service-oriented architectures.”
Jason Bloomberg
Senior Analyst, ZapThink LLC
.“Web services are the next wave of business integration, with one major hurdle in their
way: security. This comprehensive explanation of the state of the art in web services
security will help remove that hurdle. Readers will learn both about the risks and the
solutions. Not just a user’s guide, this book explains the architectural issues in distributed
systems, thus motivating the solutions. There’s an alphabet soup of evolving
standards, and this volume gives up to the minute coverage of all of them, including
XML Signature, SAML, and WS-Security. Consistent examples that run through the
book make it easy to apply the ideas to real systems. Important reading for anyone
involved in web services.”
Jeremy Epstein
Director of Product Security, webMethods Inc.
“In Mastering Web Services Security the authors provide us with an excellent technical
and historical synopsis of the web services security environment and its historical relationship
to other distributed computing environments. The book blends a presentation
of the challenges of securing web services with descriptions of the security technologies
developed to address these challenges. The major strength of the book is that it
provides detailed examples of the use of these technologies to develop and deploy
secure web services on the existing web services platforms. The book is also forward
looking and presents for the reader a road map of the activities that will shape the
future of web services security.”
Ron Monzillo
Sun Microsystems.
ng” respectively.
You implement the information given at your own risk.
Senior Program Manager, Security Engineering, Microsoft Corp.
“Without strong security, Web Services will, in the end, have but little impact on business.
Mastering Web Services Security provides important practical guidance and theory
for building secure services now and preparing for future secure Web Services standards.”
Randy Heffner
VP & Research Leader, Giga Information Group
“The authors manage to cover an impressive collection of WS security topics in a nononsense,
how-to style, while zeroing in on important techniques and critical points
with specific source code examples and diagrams.”
Max Levchin
co-founder, PayPal, Inc
“Bret Hartman and his fellow authors have set the standard for Web Services security
books with Mastering Web Services Security. Their coverage is both broad and deep, discussing
the range of security issues facing companies who are implementing Web Services,
while delving into the difficult details of cryptography and application security
infrastructures in a clear, understandable manner. Their balanced coverage of security
on both the .NET and J2EE platforms is especially valuable, especially considering the
solid chapters on interoperability, security administration, and building secure Web
Services architectures. I recommend this book for all IT managers, architects, and
enterprise security professionals who need a real understanding of how to build and
manage secure Service-oriented architectures.”
Jason Bloomberg
Senior Analyst, ZapThink LLC
.“Web services are the next wave of business integration, with one major hurdle in their
way: security. This comprehensive explanation of the state of the art in web services
security will help remove that hurdle. Readers will learn both about the risks and the
solutions. Not just a user’s guide, this book explains the architectural issues in distributed
systems, thus motivating the solutions. There’s an alphabet soup of evolving
standards, and this volume gives up to the minute coverage of all of them, including
XML Signature, SAML, and WS-Security. Consistent examples that run through the
book make it easy to apply the ideas to real systems. Important reading for anyone
involved in web services.”
Jeremy Epstein
Director of Product Security, webMethods Inc.
“In Mastering Web Services Security the authors provide us with an excellent technical
and historical synopsis of the web services security environment and its historical relationship
to other distributed computing environments. The book blends a presentation
of the challenges of securing web services with descriptions of the security technologies
developed to address these challenges. The major strength of the book is that it
provides detailed examples of the use of these technologies to develop and deploy
secure web services on the existing web services platforms. The book is also forward
looking and presents for the reader a road map of the activities that will shape the
future of web services security.”
Ron Monzillo
Sun Microsystems.
ng” respectively.
You implement the information given at your own risk.
Publisher: Joe Wikert
Executive Editor: Robert Elliott
Editorial Manager: Kathryn A. Malm
Developmental Editor: Adaobi Obi Tulton
Managing Editor: Pamela Hanley
New Media Editor: Brian Snapp
Text Design & Composition: Wiley Composition Services
Contents
Acknowledgments v
Foreword vii
Introduction xix
Chapter 1 Overview of Web Services Security
Characteristics of Web Services 3
Web Services Architecture 3
Security as an Enabler for Web Services Applications 4
Information Security Goals: Enable Use, Bar Intrusion 5
Web Services Solutions Create
New Security Responsibilities 5
Risk Management Holds the Key 6
Information Security: A Proven Concern 7
Securing Web Services 8
Web Services Security Requirements 9
Providing Security for Web Services 10
Unifying Web Services Security 12
EASI Requirements 13
EASI Solutions 14
EASI Framework 15
EASI Benefits 18
Example of a Secure Web Services Architecture 19
Business Scenario 19
Scenario Security Requirements 22
Summary 23
Chapter 2 Web Services
Distributed Computing 25
Distributed Processing across the Web 27
Web Services Pros and Cons 29
Extensible Markup Language 30
Supporting Concepts 32
SOAP 36
SOAP Message Processing 37
Message Format 39
SOAP Features 44
HTTPBinding 45
SOAP Usage Scenarios 45
Universal Description Discovery and Integration 46
WSDL 48
Other Activities 50
Active Organizations 51
Other Standards 51
Summary 52
Chapter 3 Getting Started with Web Services Security
Security Fundamentals 54
Cryptography 56
Authentication 58
Authorization 63
Walk-Through of a Simple Example 64
Example Description 65
Security Features 66
Limitations 67
Summary 70
Chapter 4 XML Security and WS-Security
Public Key Algorithms 73
Encryption 74
Digital Signatures 78
Public Key Certificates 80
Certificate Format 82
Public Key Infrastructure 83
XMLSecurity 85
XMLEncryption 85
XML Signature 88
WS-Security 95
Functionality 96
Security Element 97
Structure 97
Example 97
Summary 98
xii Contents
Chapter 5 Security Assertion Markup Language
OASIS 100
What Is SAML? 100
How SAML Is Used 101
The Rationale for Understanding the SAML Specification 104
Why Open Standards Like SAML Are Needed 105
Security Problems Solved by SAML 105
A First Detailed Look at SAML 107
SAMLAssertions 109
Common Portion of an Assertion 109
Statements 112
SAML Protocols 116
SAMLRequest/Response 117
SAMLRequest 117
SAMLResponse 121
Bindings 122
Profiles 122
Shibboleth 127
Privacy 128
Federation 129
Single Sign-on 129
The Trust Relationship 130
Related Standards 130
XACML 130
WS-Security 130
Summary 131
Chapter 6 Principles of Securing Web Services
Web Services Example 133
Authentication 135
Authentication Requirements 135
Options for Authentication in Web Services 137
System Characteristics 141
Authentication for ePortal and eBusiness 143
Data Protection 145
Data Protection Requirements 145
Options for Data Protection in Web Services 146
System Characteristics 147
eBusiness Data Protection 150
Authorization 150
Authorization Requirements 150
Options for Authorization in Web Services 153
System Characteristics 154
eBusiness Authorization 155
Summary 156
Chapter 7 Security of Infrastructures for Web Services
Distributed Security Fundamentals 158
Security and the Client/Server Paradigm 158
Security and the Object Paradigm 160
What All Middleware Security Is About 161
Roles and Responsibilities of CSS, TSS, and Secure Channel 163
How Middleware Systems Implement Security 164
Distributed Security Administration 174
Enforcing Fine-Grained Security 175
CORBA 176
How CORBAWorks 177
Roles and Responsibilities of CSS, TSS, and Secure Channel 179
Implementation of Security Functions 182
Administration 186
Enforcing Fine-Grained Security 187
COM+ 188
How COM+ Works 188
Roles and Responsibilities of CSS, TSS, and Secure Channel 192
Implementation of Security Functions 193
Administration 195
Enforcing Fine-Grained Security 196
.NET Framework 197
How .NET Works 199
.NET Security 203
J2EE 207
How EJB Works 208
Roles and Responsibilities of CSS, TSS, and Secure Channel 210
Implementation of Security functions 212
Administration 213
Enforcing Fine-Grained Security 216
Summary 217
Chapter 8 Securing .NET Web Services
IIS Security Mechanisms 219
Authentication 220
Protecting Data in Transit 221
Access Control 222
Logging 222
Fault Isolation 224
Creating Web Services with Microsoft Technologies 224
Creating Web Services out of COM+ Components 225
Creating Web Services out of COM
Components Using SOAP Toolkit 226
Creating Web Services with .NET Remoting 228
Creating Web Services Using ASP.NET 229
Implementing Access to eBusiness
with ASP.NET Web Services 233
xiv Contents
ASP.NET Web Services Security 234
Authentication 235
Data Protection 243
Access Control 244
Audit 251
Securing Access to eBusiness 256
Summary 257
Chapter 9 Securing Java Web Services
Using Java with Web Services 260
Traditional Java Security Contrasted
with Web Services Security 261
Authenticating Clients in Java 262
Data Protection 262
Controlling Access 263
How SAML Is Used with Java 263
Assessing an Application Server
for Web Service Compatibility 265
JSR Compliance 265
Authentication 266
Authorization 267
Java Tools Available for Web Services 267
Sun FORTE and JWSDP 268
IBM WebSphere and Web Services Toolkit 269
Systinet WASP 270
The Java Web Services Examples 271
Example Using WASP 271
Example Using JWSDP 280
Summary 284
Chapter 10 Interoperability of Web Services Security Technologies
The Security Interoperability Problem 288
Between Security Tiers 289
Layered Security 290
Perimeter Security 291
Mid-Tier 294
Back-Office Tier 297
Interoperable Security Technologies 297
Authentication 297
Security Attributes 298
Authorization 300
Maintaining the Security Context 301
Handling Delegation in Web Services 302
Using a Security Framework 305
Client Use of EASI 305
Target Use of EASI 307
Securing the Example 307
Framework Authentication 308
Framework Attribute Handling 310
Framework Authorization 310
Example Using JWSDP 311
What Problems Should an EASI Framework Solve? 317
Web Services Support for EASI 318
Making Third-Party Security Products Work Together 318
Federation 319
Liberty Alliance 320
The Internet versus Intranets and Extranets 322
Summary 322
Chapter 11 Administrative Considerations for Web Services Security
Introducing Security Administration 325
The Security Administration Problem 326
What about Web Services? 327
Administering Access Control and Related Policies 327
Using Attributes Wisely 328
Taking Advantage of Role-Based Access Control 329
Delegation 341
Audit Administration 343
Authentication Administration 343
How Rich Does Security Policy Need to Be? 344
Administering Data Protection 345
Making Web Services Development and Security
Administration Play Well Together 346
Summary 347
Chapter 12 Planning and Building a Secure Web Services Architecture
Web Services Security: The Challenges 350
Security Must Be In Place 350
What’s So Tough About Security for Web Services? 351
What Is Security? 351
Building Trustworthy Systems 352
Security Evolution—Losing Control 354
Dealing with the “ilities” 355
EASI Principles for Web Services 355
Security Architecture Principles 356
Security Policy Principles 357
Determining Requirements 358
Functional Requirements 360
ePortal Security Requirements 360
eBusiness Security Requirements 362
Nonfunctional Requirements 364
Overview of ePortal and eBusiness Security Architectures 366
xvi Contents
Applying EASI 369
ePortal EASI Framework 370
Addressing ePortal Requirements 372
eBusiness EASI Framework 375
Addressing eBusiness Requirements 378
Deploying Security 381
Perimeter Security 382
Mid-Tier Security 384
Back-Office Security 385
Using a Security Policy Server 386
Self-Administration 386
Large-Scale Administration 387
Storing Security Policy Data 388
Securing UDDI and WSDL 391
Security Gotchas at the System Architecture Level 391
Scaling 392
Performance 392
Summary 393
Glossary 395
References 415
Index 423
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 3,661 KB |
Pages
|
464 p |
File Type
|
PDF format |
ISBN
| 0-471-26716-3 |
Copyright © 2003 by
|
Bret Hartman, Donald J. Flinn,
Konstantin, Beznosov,
and Shirley, Kawamoto
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
