2009 02 26 Metro Glass Fish Webinar

1

Metro Web Services stack(and .NET 3.x interop)

Harold CarrLead architect, Project MetroSun Microsystems, Inc.http://weblogs.java.net/blog/haroldcarr/[email protected]

1

http://weblogs.java.net/blog/haroldcarr/

Metro: The Web services stack in GlassFish 2

Agenda• What is Metro ?• Metro features• Security scenarios• Community, adoption, more info


What is Metro ?• Web Services stack from GlassFish community• Extensible / pluggable architecture

> Encoding, Protocol and Transport Independence• Security, Reliability, Transactions• High-performance; Production-quality• Programming models

> POJO + annotations = Descriptor-free programming> WSDL> Data binding via JAXB (100% XML Schema Support)


Metro Interoperability via Standards• Basic Web Services

> JAX-WS 2.1 & JAXB 2.1> W3C SOAP 1.1/1.2, WSDL 1.1, WS-Addressing, MTOM> WS-I Basic Profile 1.x, SSBP 1.0, AP 1.0, BSP 1.0

• Enterprise Web Services > Oasis: WS-Security, WS-SecureConversation, WS-Trust,

WS-SecurityPolicy, WS-ReliableMessaging, WS-AtomicTransactions, WS-Coordintation

> W3C: WS-Addressing, WS-Policy, WS-Transfer> WS-MetadataExchange

• Same specs implemented by MS .NET 3.x


Metro Interoperability

Client

Endpoint

Client

Endpoint

Metro .NET 3.x


The Metro Stack

JAX-WS Tooling, NetBeans & Studio Support Software

TransactionsAtomic-

TransactionsCoordination

ReliabilityReliable-

Messaging

SecuritySecure Conv.

TrustXWSS

MetadataWSDLMEXPolicy

SOAP Based Messaging (WSA, MTOM)

HTTP TCP SMTP

JAXB Based XML Data Binding (XSD, XPATH)


Metro Processing Pipeline

HTTP Security WS-A ReliabilityTXStub

Message

invoke 01010001...

11001010... return

Client

Server

Invoker Z Y X W Head

Message

Message

invoke

return

Message


Metro Performance




Metro Features – Reliable MessagingProtocol-based Reliability

• Before RM> Reliable protocols based on TCP/IP> Point-to-point

• RM brings reliability to SOAP (protocol) layer• Recovery from lost or mis-ordered messages• Transparent to application• Enable use of multiple transports

> Works on non TCP/IP transports


RM Dest

ServiceApplication

RM SourceClient

Application

Reliable Messaging Operation

Client data CreateSequenceSeqId

Client data + SeqId + Msg IdSrv data + SeqAck

Client data Client data + SeqId + Msg IdSrv data + SeqAck

Client dataSrv dataSrv data

Client data + SeqId + Msg IdSrv data + SeqAck

close LastMsg + SeqId + Msg IdSeqAck

Terminate + SeqIdHTTP 202

Client dataSrv data

Client dataSrv data


Metro Features – Atomic TransactionsTransactional Web services

• Same as EJB RMI-IIOP Transactions• All operations in TX boundary succeed or rollback• Now available with web services


Metro Features - SecurityEnd-to-End Security

Before WS-Security

WS-Security● Security at SOAP (protocol) layer● Fine granularity possible

● Only sign/encrypt credit card # (e.g., XML subtree)

● Works on non-TCP/IP transports● Integrity, Confidentiality, Auth● W3C XML Signature/Encryption

● SSL/HTTPS● Security at transport layer● All or nothing granularity● Point-to-point

SSL

XWSS XWSS


Trust (getting security tokens)

.NET 3.xor

Java

STS (e.g., Access Manager)3. Request token

1. wsimport (MEX or ?wsdl)

.NET 3.xor

Java

2. WSDL + Policy with STS address

4. token

5. client msg signed/encrypted with token

6. server response signed/encrypted with token


Secure Conversation (optimization)

.NET 3.xor

Java

STS (e.g., Access Manager)2. token A for msg 1

1. get WSDL

.NET 3.xor

Java

4. token B for msg 2

3. msg 1 signed/encrypted with token A

5. msg 2 signed/encrypted with token B

WITHOUT Secure Conversation: Get key from STS for each msg


Secure Conversation (optimization)

.NET 3.xor

Java

STS (e.g., Access Manager)2. token A for msg 1

1. get WSDL

.NET 3.xor

Java

3. msg 1 signed/encrypted with token A

4. msg 2 signed/encrypted with derived key

WITH Secure Conversation Derive keys from initial STS key




Security Scenarios

• Token creation and validation• Token expiration• Identity and attribute extraction for Database search• Identity propagation

> thru multiple web apps & services• Brokered trust


STS

2a.

1.Client(.NET SOAP)

GetDataWS(GF/Metro SOAP)

2b.

2c.

AM (Metro SOAP)

3.

Token Creation and Validation

1. HTTPS/MEX to get GetDataWS WSDL1a. GetDataWS has WSDL that indicates SAML token required from STS2. getData called. 2a. HTTPS/MEX to get STS WSDL.2b: HTTP/SAML security to do STS operation to get Token.2c: Pass token w/Attribute inserted directly in token to GetDataWS3. GetDataWS returns result when valid token received.


Protocols used in Token Creation scenario• WS-Transfer/WS-Metadata Exchange

> Used to obtain service and STS WSDLs• WS-Trust

> Used by client to obtain security token from STS• WS-Security

> Used to sign/encrypt messages between client and service

• STS = Secure Token Service> Sun Access Manager (AM) in this example> Uses SAML tokens> More on STS and SAML in subsequent slides


STS

Client(.NET SOAP)

GetDataWS(GF/Metro SOAP)

AM (Metro SOAP)

Token Expiration

1. Same setup / interaction as previous slide.1. Change token expiration on STS to 5 seconds.2. After getting token from STS have client sleep 10 seconds then call getData. Should receive “invalid token” fault3. Change token expiration on STS to 15 seconds.4. After getting token from STS have client sleep 10 seconds then call getData. Should now receive valid result.


STS used in SAML Token Creation scenario

• STS == Secure Token Service> STS in this example is Sun’s Access Manager (AM)

• SAML == Security Assertion Markup Language• SAML tokens generated by STS specify details

('claims') about client to server> Tokens have predefined elements & attributes> Token can include user-defined claims

• Token includes 'expires' element> STS (in this example) sets ‘expires’ to 15 seconds


STS

2a.

1.

1. HTTPS/MEX to get GetDataWS WSDL.1a. GetDataWS has WSDL that indicates SAML token required from STS2. User A (permission to SOME data) logs in and calls getData.2a. HTTPS/MEX and HTTP/SAML STS interaction.2b. Pass token w/Attribute inserted directly in token to GetDataWS3. Use token to determine user role. Result should be a subset of data (e.g., 5 rows).User B (permission to ALL data) logs in and does SAME query.Result should be all data (e.g., 10 rows).

Client(Metro SOAP)

GetDataWS(IIS .NET SOAP)

2b.3.

Active Directory (.NET SOAP)Identity and attribute extraction for Database Search


STS used in DB search scenario

• STS in this example is backed by Active Directory (AD)• User supplies credentials to authenticate to Active Directory

(username/password, X.509, etc)• STS issues SAML token with claims regarding user

> Identity> STS inserts additional claim regarding the users ROLE

– (as defined in AD)• GetDataWS verifies SAML token issued by trusted STS• Role extracted from SAML token

> Used in DB access


STSA

Client(browserusing CardSpace)


+RM

AuditWS(GF/Metro SOAP)

RecordsDB

AuditDBAM (Metro SOAP)

GetData Web App(GF/Metro SOAP)

1. Browser-based client authenticates via CardSpace + AM2. Client does call on GetData Web Application.3. GetData WA calls GetDataWS.getData. 3a. GetDataWS will get data from RecordsDB.3a. GetDataWS will also call AuditWS.audit. Will use WS-RM.Validate: record must be retrieved correctly and AuditDB verified.Audit record should show User A, time, Application, GetDataWS and RecordsDB.NOTE: GetDataWs and AuditWS also secured using initial client token.

Identity Propagation thru multiple web apps & services


WS-ReliableMessaging

• Used between GetDataWS and AuditWS• To ensure audit trail• Ensures all messages sent are received


STSA

Same as previous scenario except: GetDataWS has trust relationship with STS A, AuditWS has trust relationship with STS B.STS A and B trust each other.

Client(browserusing CardSpace)


+RM

AuditWS(GF/Metro SOAP)

RecordsDB

AuditDBSTS

B

AM (Metro SOAP)Active Directory(.NET SOAP)

GetData Web App(GF/Metro SOAP)

Brokered Trust


Brokered Trust

• User supplies credentials to authenticate to STS A (AM)• Identity is propagated through multiple web apps/services• AuditWS does not know/trust STS A (AM)• AuditWS trusts STS B (AD)• STS B has a trust relationship with STS A (via WS-Trust)• STS B can use STS A to validate identity


Before Project MetroOnly WS-I BP 1.1 Interop

.NETTrustAuthority

TrustAuthority

Sun Managed

Microsoft Managed

Project GlassFish™

Retail Quote ServiceBP 1.1

Project GlassFishWholesale

Quote Service

.Net WholesaleService

BP 1.1

Java EE Platform

WCFClient

JavaClient


.NETTrustAuthority

TrustAuthority

Sun Managed

Microsoft Managed

Project GlassFish™

Retail Quote Service

Project GlassFishWholesale

Quote Service

.Net WholesaleService

Java EE Platform

With Project Metro

WCFClient

JavaClient

TrustWS-Trust

QOS SecurityInterop.

STSSTS

WS-T


Security Summary• Web Service Interoperability

> Java web services using Metro and GlassFish> .NET 3.5 web services using Windows Communication Foundation

• Identity> Sun Access Manager> (Microsoft Active Directory)> WS-Trust> SAML> InfoCard

• Security> SAML, WS-Security, WS-SecureConversation, WS-SecurityPolicy




Community• Visible development at java.net

> metro, jax-ws, wsit, jax-ws-commons> Continuous testing using Hudson

• Fully Open-source> CDDL and GPL v2 license> Source code, Emails, Forums

• Light-weight committer process > to encourage external contributions

• Features driven by users and community> Spring, SMTP, JSON, Stateful Web service, etc.


Metro Runtime & Tools• Containers (runtime)

> Integrated in GlassFish V2 and V3> Light-weight HTTP server (Java SE 6)> JBoss WS 2.1.0, BEA WLS 10, IBM JDK Version 6,

TmaxSoft JEUS, Tomcat, Jetty> Any Servlet-2.4 container

• Development Tools> Command-line: wsimport, wsgen> NetBeans IDE> Maven plugins> Eclipse (SOAP UI plugin)


Adoption• BEA/Oracle Web Logic Server 10• JBoss WS 2.1.0• IBM JDK Version 6• Salesforce.com for APEX 8.0 toolkit• Many others ...

> TmaxSoft, Worldspan, MailVision Ltd., MyUniPortal, Nortrop Grumman Corporation, Cordys, SLIB, Expeditors International, Cast Iron Systems, Covergence, National Science Foundation, etc.


Reference – More Info• Metro

> metro.dev.java.net> [email protected]> https://forums.java.net/jive/forum.jspa?forumID=46> http://feeds.feedburner.com/MetroBlogs

• GlassFish Community> glassfish.java.net> blogs.sun.com/theaquarium

• Access Manager and OpenSSO blogs:> http://planets.sun.com/OpenSSO/> http://developers.sun.com/identity/> http://www.sun.com/software/products/access_mgr/index.jsp> http://opensso.org/ > http://blogs.sun.com/main/tags/infocard

http://planets.sun.com/OpenSSO/

http://developers.sun.com/identity/

http://www.sun.com/software/products/access_mgr/index.jsp

http://opensso.org/

http://blogs.sun.com/main/tags/infocard


Extra Slides


Metro Overview

Security

Metro – GlassFish Web Services Stackmetro.dev.java.net

JAXB JAXP SAAJ

TransactionsReliability

Commons

SOAP

XML Processing

Web Services Core

SMTP

Spring

JSON

HTTP

. . .

. . .


Metro FeaturesComposite Service (Brokered Trust)

TrustAuthority

ServiceProvider

Managed Environment

Unmanaged Environment

ServiceConsumer

TrustAuthority

ServiceProvider

ServiceProvider

Trust


InfoCard

• CardSpace – Microsoft’s identity metasystem> Supports multiple identity systems> based on standards (e.g., WS-Security, WS-Trust, WS-

MetadataExchange, WS-SecurityPolicy)• Users download cards from identity providers

> their bank/etc, or create their own self-issued cards• Cards used to convey any info from identity provider to relying party that

makes sense to both of them• CardSpace allows the user to select a card that provides identity and

required claims to STS• Sun’s Access Manager supports InfoCard using its own identity system• SAML token returned by STS includes identity is propagated and verified

by Metro and .NET based services



Demo

Ease-of-use with NetBeans 6 IDEhttp://blogs.sun.com/arungupta/entry/screncast_ws7_secure_and_reliable

Technology

2009 02 26 Metro Glass Fish Webinar