Dr. Bhavani Thuraisingham

October 2006

Trustworthy Semantic Webs

Lecture #16: Web Services and Security

16-204/19/23 21:53

Outline0 Web Services 0 Service Oriented Architectures0 Web Services Description Language0 UDDI0 SOAP0 WSDL with XML0 Security 0 OASIS0 Federated identity0 Directions0 http://www.service-architecture.com/articles/index.html

16-304/19/23 21:53

Web Services Definition0 Web Services refers to the technologies that allow for making

connections. 0 Services are what you connect together using Web Services.0 A service is the endpoint of a connection. 0 Also, a service has some type of underlying computer system

that supports the connection offered. 0 The combination of services - internal and external to an

organization - make up a service-oriented architecture. 

16-404/19/23 21:53

Service Oriented Architectures (SOA)0 A service-oriented architecture is essentially a collection of services.

0 These services communicate with each other.

0 The communication can involve either simple data passing or it could involve two or more services coordinating some activity. Some means of connecting services to each other is needed.

0 Service-oriented architectures are not a new thing. The first service-oriented architecture for many people in the past was with the use DCOM or Object Request Brokers (ORBs) based on the CORBA specification.

0 If a service-oriented architecture is to be effective, we need a clear understanding of the term service.

0 A service is a function that is well-defined, self-contained, and does not depend on the context or state of other services

16-504/19/23 21:53

Service Oriented Architectures0 The technology of web services is the most likely connection

technology of service-oriented architectures. 0 Web services essentially use XML Technology create a robust

connection.0 A service consumer sends a service request message to a

service provider 0 The service provider returns a response message to the

service consumer. 0 The request and subsequent response connections are

defined in some way that is understandable to both the service consumer and service provider.

0 A service provider can also be a service consumer. 

16-604/19/23 21:53

Web Services Description Language0 The Web Services Description Language (WSDL) forms the basis for

Web Services. The steps involved in providing and consuming a service are:

- A service provider describes its service using WSDL. This definition is published to a directory of services. The directory could use Universal Description, Discovery, and Integration (UDDI). Other forms of directories can also be used.

- A service consumer issues one or more queries to the directory to locate a service and determine how to communicate with that service. 

- Part of the WSDL provided by the service provider is passed to the service consumer. This tells the service consumer what the requests and responses are for the service provider.

- The service consumer uses the WSDL to send a request to the service provider.

- The service provider provides the expected response to the service consumer.

16-704/19/23 21:53

UDDI

0 The UDDI registry is intended to eventually serve as a means of "discovering" Web Services described using WSDL .

0 The idea is that the UDDI registry can be searched in various ways to obtain contact information and the Web Services available for various organizations.

0 UDDI registry is a way to keep up-to-date on the Web Services your organization currently uses

0 Alternative to UDDI is ebXML Directory

16-804/19/23 21:53

SOAP0 All the messages are sent using SOAP. (SOAP at one time

stood for Simple Object Access Protocol; Now, the letters in the acronym have no particular meaning .)

0 SOAP essentially provides the envelope for sending the Web Services messages.

0 SOAP generally uses HTTP , but other means of connection may be used.

0 HTTP is the familiar connection we all use for the Internet. 0 It is the pervasiveness of HTTP connections that will help

drive the adoption of Web Services.

16-904/19/23 21:53

WDSL with XML

0 WSDL uses XML to define messages. 0 XML has a tagged message format. 0 Both the service provider and service consumer use these

tags. 0 In fact, the service provider could send the data in any order.0 The service consumer uses the tags and not the order of the

data to get the data values.

16-1004/19/23 21:53

Security

0 Security and authorization is a important topic with Web Services.

0 In fact, security and authorization specifications are currently in flux. This is often the reason cited for not proceeding with any work related to Web Services. Therefore, we need experimentation.

0 Much can be done without having the specifications complete. Nearly all organizations should be able to find some areas to experiment with Web Services that have low requirements for security and authorization.

16-1104/19/23 21:53

Security

0 Security and authorization specifications include:- eXtensible Access Control Markup Language (XACML)- eXtensible Rights Markup Language (XrML)- Security Assertion Markup Language (SAML)- Service Protection Markup Language (SPML)- Web Services Security (WSS)- XML Common Biometric Format (XCBF)- XML Key Management Specification (XKMS)

16-1204/19/23 21:53

Security

0 Firewalls- Specialized XML firewalls offer the promise of protecting

internal systems when using Web Services. - Traditional firewalls offer protection at the packet level

and do not examine the contents of messages.- XML firewalls, on the other hand, examine the contents of

messages. This includes the SOAP headers and the XML content.

- They are designed to permit authorized content to pass through the firewall.

16-1304/19/23 21:53

Security: Examples XACML, SAML, WSS

0 XACML (OASIS Spec)

- eXtensible Access Control Markup Language (XACML) provides fine grained control of authorized activities, the effect of characteristics of the access requestor, the protocol over which the request is made, authorization based on classes of activities, and content introspection.

0 SAML (OASIS Spec)

- It is an XML framework for exchanging authentication and authorization information. It is used with WSS

0 WSS (OASIS Spec)

- It describes enhancements to SOAP messaging in order to provide quality of protection through message integrity, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

16-1404/19/23 21:53

OASIS

0 Organization for the Advancement of Structured Information Standards (OASIS)

0 OASIS is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards.

0 Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts.

0 OASIS produces worldwide standards for security, Web Services, XML conformance, business transactions, electronic publishing, topic maps, and interoperability within and between marketplaces. OASIS also hosts XML.org, which provides information about the application of XML, and The Cover Pages which is a reference collection supporting the SGML/XML family of markup language standards and their application.

16-1504/19/23 21:53

Federated Identity

0 Federated identity allows users to link identity information between accounts without centrally storing personal information.

0 Also, users can control when and how their accounts and attributes are linked and shared between domains and Service Providers, allowing for greater control over their personal data.

0 In practice, this means that users can be authenticated by one company or Web site and be recognized and delivered personalized content and services in other locations without having to re-authenticate or sign on with a separate username and password. 

0 Standards include Identity Web Services Framework (I-WSF)

16-1604/19/23 21:53

Directions

0 Security for Web Services and Service Oriented Architectures0 Confidentiality, Privacy and Trust Management for SOA0 Model, Policy Language, Risk Analysis and Economics