View
1.778
Download
2
Category
Tags:
Preview:
DESCRIPTION
Metro, the GlassFish Web Services stack. A presentation by Harold Carr emphasizing the benefits of Metro for interoperability with .Net
Citation preview
1
Metro Web Services stack(and .NET 3.x interop)
Harold CarrLead architect, Project MetroSun Microsystems, Inc.http://weblogs.java.net/blog/haroldcarr/harold.carr@sun.com
1
Metro: The Web services stack in GlassFish 2
Agenda• What is Metro ?• Metro features• Security scenarios• Community, adoption, more info
Metro: The Web services stack in GlassFish 3
What is Metro ?• Web Services stack from GlassFish community• Extensible / pluggable architecture
> Encoding, Protocol and Transport Independence• Security, Reliability, Transactions• High-performance; Production-quality• Programming models
> POJO + annotations = Descriptor-free programming> WSDL> Data binding via JAXB (100% XML Schema Support)
Metro: The Web services stack in GlassFish 4
Metro Interoperability via Standards• Basic Web Services
> JAX-WS 2.1 & JAXB 2.1> W3C SOAP 1.1/1.2, WSDL 1.1, WS-Addressing, MTOM> WS-I Basic Profile 1.x, SSBP 1.0, AP 1.0, BSP 1.0
• Enterprise Web Services > Oasis: WS-Security, WS-SecureConversation, WS-Trust,
WS-SecurityPolicy, WS-ReliableMessaging, WS-AtomicTransactions, WS-Coordintation
> W3C: WS-Addressing, WS-Policy, WS-Transfer> WS-MetadataExchange
• Same specs implemented by MS .NET 3.x
Metro: The Web services stack in GlassFish 5
Metro Interoperability
Client
Endpoint
Client
Endpoint
Metro .NET 3.x
Metro: The Web services stack in GlassFish 6
The Metro Stack
JAX-WS Tooling, NetBeans & Studio Support Software
TransactionsAtomic-
TransactionsCoordination
ReliabilityReliable-
Messaging
SecuritySecure Conv.
TrustXWSS
MetadataWSDLMEXPolicy
SOAP Based Messaging (WSA, MTOM)
HTTP TCP SMTP
JAXB Based XML Data Binding (XSD, XPATH)
Metro: The Web services stack in GlassFish 7
Metro Processing Pipeline
HTTP Security WS-A ReliabilityTXStub
Message
invoke 01010001...
11001010... return
Client
Server
Invoker Z Y X W Head
Message
Message
invoke
return
Message
Metro: The Web services stack in GlassFish 8
Metro Performance
Metro: The Web services stack in GlassFish 9
Agenda• What is Metro ?• Metro features• Security scenarios• Community, adoption, more info
Metro: The Web services stack in GlassFish 10
Metro Features – Reliable MessagingProtocol-based Reliability
• Before RM> Reliable protocols based on TCP/IP> Point-to-point
• RM brings reliability to SOAP (protocol) layer• Recovery from lost or mis-ordered messages• Transparent to application• Enable use of multiple transports
> Works on non TCP/IP transports
Metro: The Web services stack in GlassFish 11
RM Dest
ServiceApplication
RM SourceClient
Application
Reliable Messaging Operation
Client data CreateSequenceSeqId
Client data + SeqId + Msg IdSrv data + SeqAck
Client data Client data + SeqId + Msg IdSrv data + SeqAck
Client dataSrv dataSrv data
Client data + SeqId + Msg IdSrv data + SeqAck
close LastMsg + SeqId + Msg IdSeqAck
Terminate + SeqIdHTTP 202
Client dataSrv data
Client dataSrv data
Metro: The Web services stack in GlassFish 12
Metro Features – Atomic TransactionsTransactional Web services
• Same as EJB RMI-IIOP Transactions• All operations in TX boundary succeed or rollback• Now available with web services
Metro: The Web services stack in GlassFish 13
Metro Features - SecurityEnd-to-End Security
Before WS-Security
WS-Security● Security at SOAP (protocol) layer● Fine granularity possible
● Only sign/encrypt credit card # (e.g., XML subtree)
● Works on non-TCP/IP transports● Integrity, Confidentiality, Auth● W3C XML Signature/Encryption
● SSL/HTTPS● Security at transport layer● All or nothing granularity● Point-to-point
SSL
XWSS XWSS
Metro: The Web services stack in GlassFish 14
Trust (getting security tokens)
.NET 3.xor
Java
STS (e.g., Access Manager)3. Request token
1. wsimport (MEX or ?wsdl)
.NET 3.xor
Java
2. WSDL + Policy with STS address
4. token
5. client msg signed/encrypted with token
6. server response signed/encrypted with token
Metro: The Web services stack in GlassFish 15
Secure Conversation (optimization)
.NET 3.xor
Java
STS (e.g., Access Manager)2. token A for msg 1
1. get WSDL
.NET 3.xor
Java
4. token B for msg 2
3. msg 1 signed/encrypted with token A
5. msg 2 signed/encrypted with token B
WITHOUT Secure Conversation: Get key from STS for each msg
Metro: The Web services stack in GlassFish 16
Secure Conversation (optimization)
.NET 3.xor
Java
STS (e.g., Access Manager)2. token A for msg 1
1. get WSDL
.NET 3.xor
Java
3. msg 1 signed/encrypted with token A
4. msg 2 signed/encrypted with derived key
WITH Secure Conversation Derive keys from initial STS key
Metro: The Web services stack in GlassFish 17
Agenda• What is Metro ?• Metro features• Security scenarios• Community, adoption, more info
Metro: The Web services stack in GlassFish 18
Security Scenarios
• Token creation and validation• Token expiration• Identity and attribute extraction for Database search• Identity propagation
> thru multiple web apps & services• Brokered trust
Metro: The Web services stack in GlassFish 19
STS
2a.
1.Client(.NET SOAP)
GetDataWS(GF/Metro SOAP)
2b.
2c.
AM (Metro SOAP)
3.
Token Creation and Validation
1. HTTPS/MEX to get GetDataWS WSDL1a. GetDataWS has WSDL that indicates SAML token required from STS2. getData called. 2a. HTTPS/MEX to get STS WSDL.2b: HTTP/SAML security to do STS operation to get Token.2c: Pass token w/Attribute inserted directly in token to GetDataWS3. GetDataWS returns result when valid token received.
Metro: The Web services stack in GlassFish 20
Protocols used in Token Creation scenario• WS-Transfer/WS-Metadata Exchange
> Used to obtain service and STS WSDLs• WS-Trust
> Used by client to obtain security token from STS• WS-Security
> Used to sign/encrypt messages between client and service
• STS = Secure Token Service> Sun Access Manager (AM) in this example> Uses SAML tokens> More on STS and SAML in subsequent slides
Metro: The Web services stack in GlassFish 21
STS
Client(.NET SOAP)
GetDataWS(GF/Metro SOAP)
AM (Metro SOAP)
Token Expiration
1. Same setup / interaction as previous slide.1. Change token expiration on STS to 5 seconds.2. After getting token from STS have client sleep 10 seconds then call getData. Should receive “invalid token” fault3. Change token expiration on STS to 15 seconds.4. After getting token from STS have client sleep 10 seconds then call getData. Should now receive valid result.
Metro: The Web services stack in GlassFish 22
STS used in SAML Token Creation scenario
• STS == Secure Token Service> STS in this example is Sun’s Access Manager (AM)
• SAML == Security Assertion Markup Language• SAML tokens generated by STS specify details
('claims') about client to server> Tokens have predefined elements & attributes> Token can include user-defined claims
• Token includes 'expires' element> STS (in this example) sets ‘expires’ to 15 seconds
Metro: The Web services stack in GlassFish 23
STS
2a.
1.
1. HTTPS/MEX to get GetDataWS WSDL.1a. GetDataWS has WSDL that indicates SAML token required from STS2. User A (permission to SOME data) logs in and calls getData.2a. HTTPS/MEX and HTTP/SAML STS interaction.2b. Pass token w/Attribute inserted directly in token to GetDataWS3. Use token to determine user role. Result should be a subset of data (e.g., 5 rows).User B (permission to ALL data) logs in and does SAME query.Result should be all data (e.g., 10 rows).
Client(Metro SOAP)
GetDataWS(IIS .NET SOAP)
2b.3.
Active Directory (.NET SOAP)Identity and attribute extraction for Database Search
Metro: The Web services stack in GlassFish 24
STS used in DB search scenario
• STS in this example is backed by Active Directory (AD)• User supplies credentials to authenticate to Active Directory
(username/password, X.509, etc)• STS issues SAML token with claims regarding user
> Identity> STS inserts additional claim regarding the users ROLE
– (as defined in AD)• GetDataWS verifies SAML token issued by trusted STS• Role extracted from SAML token
> Used in DB access
Metro: The Web services stack in GlassFish 25
STSA
Client(browserusing CardSpace)
GetDataWS(IIS .NET SOAP)
+RM
AuditWS(GF/Metro SOAP)
RecordsDB
AuditDBAM (Metro SOAP)
GetData Web App(GF/Metro SOAP)
1. Browser-based client authenticates via CardSpace + AM2. Client does call on GetData Web Application.3. GetData WA calls GetDataWS.getData. 3a. GetDataWS will get data from RecordsDB.3a. GetDataWS will also call AuditWS.audit. Will use WS-RM.Validate: record must be retrieved correctly and AuditDB verified.Audit record should show User A, time, Application, GetDataWS and RecordsDB.NOTE: GetDataWs and AuditWS also secured using initial client token.
Identity Propagation thru multiple web apps & services
Metro: The Web services stack in GlassFish 26
WS-ReliableMessaging
• Used between GetDataWS and AuditWS• To ensure audit trail• Ensures all messages sent are received
Metro: The Web services stack in GlassFish 27
STSA
Same as previous scenario except: GetDataWS has trust relationship with STS A, AuditWS has trust relationship with STS B.STS A and B trust each other.
Client(browserusing CardSpace)
GetDataWS(IIS .NET SOAP)
+RM
AuditWS(GF/Metro SOAP)
RecordsDB
AuditDBSTS
B
AM (Metro SOAP)Active Directory(.NET SOAP)
GetData Web App(GF/Metro SOAP)
Brokered Trust
Metro: The Web services stack in GlassFish 28
Brokered Trust
• User supplies credentials to authenticate to STS A (AM)• Identity is propagated through multiple web apps/services• AuditWS does not know/trust STS A (AM)• AuditWS trusts STS B (AD)• STS B has a trust relationship with STS A (via WS-Trust)• STS B can use STS A to validate identity
Metro: The Web services stack in GlassFish 29
Before Project MetroOnly WS-I BP 1.1 Interop
.NETTrustAuthority
TrustAuthority
Sun Managed
Microsoft Managed
Project GlassFish™
Retail Quote ServiceBP 1.1
Project GlassFishWholesale
Quote Service
.Net WholesaleService
BP 1.1
Java EE Platform
WCFClient
JavaClient
Metro: The Web services stack in GlassFish 30
.NETTrustAuthority
TrustAuthority
Sun Managed
Microsoft Managed
Project GlassFish™
Retail Quote Service
Project GlassFishWholesale
Quote Service
.Net WholesaleService
Java EE Platform
With Project Metro
WCFClient
JavaClient
TrustWS-Trust
QOS SecurityInterop.
STSSTS
WS-T
Metro: The Web services stack in GlassFish 31
Security Summary• Web Service Interoperability
> Java web services using Metro and GlassFish> .NET 3.5 web services using Windows Communication Foundation
• Identity> Sun Access Manager> (Microsoft Active Directory)> WS-Trust> SAML> InfoCard
• Security> SAML, WS-Security, WS-SecureConversation, WS-SecurityPolicy
Metro: The Web services stack in GlassFish 32
Agenda• What is Metro ?• Metro features• Security scenarios• Community, adoption, more info
Metro: The Web services stack in GlassFish 33
Community• Visible development at java.net
> metro, jax-ws, wsit, jax-ws-commons> Continuous testing using Hudson
• Fully Open-source> CDDL and GPL v2 license> Source code, Emails, Forums
• Light-weight committer process > to encourage external contributions
• Features driven by users and community> Spring, SMTP, JSON, Stateful Web service, etc.
Metro: The Web services stack in GlassFish 34
Metro Runtime & Tools• Containers (runtime)
> Integrated in GlassFish V2 and V3> Light-weight HTTP server (Java SE 6)> JBoss WS 2.1.0, BEA WLS 10, IBM JDK Version 6,
TmaxSoft JEUS, Tomcat, Jetty> Any Servlet-2.4 container
• Development Tools> Command-line: wsimport, wsgen> NetBeans IDE> Maven plugins> Eclipse (SOAP UI plugin)
Metro: The Web services stack in GlassFish 35
Adoption• BEA/Oracle Web Logic Server 10• JBoss WS 2.1.0• IBM JDK Version 6• Salesforce.com for APEX 8.0 toolkit• Many others ...
> TmaxSoft, Worldspan, MailVision Ltd., MyUniPortal, Nortrop Grumman Corporation, Cordys, SLIB, Expeditors International, Cast Iron Systems, Covergence, National Science Foundation, etc.
Metro: The Web services stack in GlassFish 36
Reference – More Info• Metro
> metro.dev.java.net> users@metro.dev.java.net> https://forums.java.net/jive/forum.jspa?forumID=46> http://feeds.feedburner.com/MetroBlogs
• GlassFish Community> glassfish.java.net> blogs.sun.com/theaquarium
• Access Manager and OpenSSO blogs:> http://planets.sun.com/OpenSSO/> http://developers.sun.com/identity/> http://www.sun.com/software/products/access_mgr/index.jsp> http://opensso.org/ > http://blogs.sun.com/main/tags/infocard
Metro: The Web services stack in GlassFish 37
Extra Slides
Metro: The Web services stack in GlassFish 38
Metro Overview
Security
Metro – GlassFish Web Services Stackmetro.dev.java.net
JAXB JAXP SAAJ
TransactionsReliability
Commons
SOAP
XML Processing
Web Services Core
SMTP
Spring
JSON
HTTP
. . .
. . .
Metro: The Web services stack in GlassFish 39
Metro FeaturesComposite Service (Brokered Trust)
TrustAuthority
ServiceProvider
Managed Environment
Unmanaged Environment
ServiceConsumer
TrustAuthority
ServiceProvider
ServiceProvider
Trust
Metro: The Web services stack in GlassFish 40
InfoCard
• CardSpace – Microsoft’s identity metasystem> Supports multiple identity systems> based on standards (e.g., WS-Security, WS-Trust, WS-
MetadataExchange, WS-SecurityPolicy)• Users download cards from identity providers
> their bank/etc, or create their own self-issued cards• Cards used to convey any info from identity provider to relying party that
makes sense to both of them• CardSpace allows the user to select a card that provides identity and
required claims to STS• Sun’s Access Manager supports InfoCard using its own identity system• SAML token returned by STS includes identity is propagated and verified
by Metro and .NET based services
Metro: The Web services stack in GlassFish 41
Metro: The Web services stack in GlassFish 42
Demo
Ease-of-use with NetBeans 6 IDEhttp://blogs.sun.com/arungupta/entry/screncast_ws7_secure_and_reliable
Recommended