View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Secure Systems Research Group - FAU1
Web Services Products and Tools
Ingrid BuckleyDept. of Computer Science and Engineering
Florida Atlantic UniversityBoca Raton, FL, USA
April 18, 2007
Secure Systems Research Group - FAU2
AGENDA
• Objective• Introduction• Web Service Products
– Standards– Features
• Web Service Tools• Web Service Patterns• Conclusion
Secure Systems Research Group - FAU3
Objectives
• Evaluation of products and development tools used to create web services including their capabilities.
• Identifying areas that either have no support or can be better enhanced to increase the overall efficiency of the products and tools used in the development of web services.
• Providing some possible solutions.
Secure Systems Research Group - FAU4
Introduction• A Web Service is a component in a system designed to support interoperable machine to machine interaction over a network.
• Web services are frequently just Web APIs that can be accessed over a network, such as the
– Internet– executed on a remote system hosting the requested services.
• Web services communicate using XML messages that follow the SOAP standard.
• Web services are regulated by web service standards.
Secure Systems Research Group - FAU5
Web Service Products• Web services are generally used in two ways:
– for remote procedure calls (RPC) – Document Style
• Several products are available on the market that offer one or more of these functionalities.
• There are two basic architectural approaches for platforms that support web services: – Microsoft .NET– Sun ONE (J2EE)
• There are a variety of companies that develop products to implement web services, these include:– IBM, Microsoft, IONA, BEA, and SUN
Secure Systems Research Group - FAU6
Web Service Products
• Xtradyne - Xtradyne's WS-DBC
• IBM - Tivoli Identity Manager and Tivoli Access Manager
• IONA – Artix
• Netegrity - TransactionMinder
• Forum Sentry™ Web Services Security Suite
• Microsoft Trust Bridge
• BEA - BEA WebLogic Enterprise Security
Secure Systems Research Group - FAU7
Xtradyne - Xtradyne's WS-DBC
• The Web Services Domain Boundary Controller (WS-DBC) is an XML Firewall.
• It provides protection against malformed messages and malicious content, encryption/decryption of XML messages, XML digital signatures, authentication, authorization, and audit.
• It conforms to WS-Security, SAML WSDL, XML Digital Signatures standards.
Secure Systems Research Group - FAU8
IBM - Tivoli Identity Manager and Tivoli Access Manager
• Tivoli Identity Manager is a policy-based user
management solution.• Tivoli Access Manager is a policy-based access
control solution. • Provides authentication and authorization APIs that
allow integration with application platforms such as J2EE.
• This product conforms to WS-Federation and SAML
standards.
Secure Systems Research Group - FAU9
IONA – Artix
• Artix is an extensible Enterprise Service Bus (ESB). • It enables an enterprise to integrate and expose its
applications as web services.
• The security features include a role based access control mechanism, authentication, support with WS-Security, Single sign-on (SSO), Netegrity plugin, LDAP plugin, Active Directory Plug-In.
• It conforms to the WS-Security and SAML standards.
Secure Systems Research Group - FAU10
Netegrity - TransactionMinder
• TransactionMinder provides centralized authentication, policy-based authorization, and audit for web services transactions
• By intercepting requests made to web services, analyzing it and communicating with the Netegrity Policy Server.
• Netegrity conforms to SOAP messages, WSDL, SAML and XML Digital Signatures standards.
Secure Systems Research Group - FAU11
Forum Sentry™ Web Services Security Suite
• Enables trusted information sharing using XML data and Web services across different security domains and business processes.
• Forum Sentry supports the implementation of secure service-oriented architectures and event-driven applications.
• Conforms to XML Digital Signature, XML Encryption, WS-Encryption, WS-Digital Signatures, WSDL 1.1/1.2, WS-Security, SAML, XKMS and WS-I Basic Profile standards.
Secure Systems Research Group - FAU12
Microsoft Trust Bridge
• Microsoft Trust Bridge technology will allow different organizations using the Windows operating system to exchange user identities and interoperate in heterogeneous environments.
• Using industry standard XML Web services protocols including Kerberos, WS-Security and forthcoming protocols in WS-Policy and the WS-Security family.
• Federated identity management makes it easier for businesses to interact with customer, partners and suppliers, thus increasing communication amongst stakeholders.
Secure Systems Research Group - FAU13
BEA - BEA WebLogic Enterprise Security
• BEA WebLogic Enterprise Security provides access control to applications based on policies.
• Includes policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.
• Conforms to the SAML and WSDL 1.1 standard.
Secure Systems Research Group - FAU14
Security StandardsStandards IBM IONA BEA XTRADYNE NETEGRITY FORUM
MicrosoftTrust Bridge
XML Encryption X X X
XML Signature X X X
SAML X X X X X X X
WS-Security X X X X
WS- Encryption X X X X X
WS-Reliabilty X
WS-TRUST X X
WS-Federation X X
WSDL X X
Secure Systems Research Group - FAU15
Security FeaturesFunctionalities IBM IONA BEA XTRADYNE NETEGRITY FORUM
MicrosoftTrust Bridge
XML schema validation X X
Web services access control X X X X X X X
User Authentication X X X X X X X
Audit X X X X X
Alerts X X
Standards validation
Virus scanning X X X
Integrity checks X X X
SSO X X X
Secure Systems Research Group - FAU16
Web Service Tools
• GlassFish
• Eclipse Web Tools Platform (WTP)
• MissionKit
• Stylus Studio®
Secure Systems Research Group - FAU17
GlassFish• GlassFish is an open source application server which implements some new features in the Java EE 5
platform. • The Java EE 5 platform includes the latest versions of technologies such as:
JavaServer Pages(JSP)2.1– JavaServer Faces(JSF) 1.2– Servlet 2.4– EnterpriseJavaBeans 3.0– Java API for Web Services (JAX-WS) 2.0– Java Architecture for XML Binding – (JAXB) 2.0, – Web Services Metadata for the Java Platform 1.0.
Secure Systems Research Group - FAU18
Eclipse Web Tools Platform (WTP)
• Eclipse web tools platform project extends the Eclipse platform with tools for developing web services and Java EE applications.
• It includes source and graphical editors for a variety of languages, wizards and built-in applications.
• Includes tools and APIs to support deploying, running, and testing web applications.
Secure Systems Research Group - FAU19
MissionKit
• The Altova MissionKit for XML Developers is designed for XML and software developers, it includes XML data integration, and style sheet design capabilities.
• MissionKit supports:– XML, XSD, XSLT, and XQuery development– WSDL and SOAP Web services development– XML, database, flat file, EDI, and Web services data
mapping / conversion– Graphical Web services creation– XML-aware file and directory differencing/merging– Advanced XML Schema management– Semantic Web development
Secure Systems Research Group - FAU20
Stylus Studio®• Stylus Studio® 2008 XML Enterprise Suite provides a set of XML
tools and features for working with XML, XQuery, web services, XML publishing, and other XML technologies.
• Stylus Studio includes the following features:
– Apache Axis: Stylus Studio® uses Apache Axis to query web services for exploring, to retrieve data through web services, and to generate code for web services. Additionally, using the support of the XML converters, web services through Axis can be built into your own applications, called and executed through XSLT and/or XQuery, and used in XML pipelines and XML reports.
– Integrating Web Services using XQuery : Web services provide process abstraction while XQuery provides a flexible means for data abstraction.
– Web Service Data Mapping :Stylus Studio® allows you to use web services as XML data sources to be used in live XML mapping projects.
Secure Systems Research Group - FAU21
Mashups
• A mashup is a web application that combines data from more than one source into a single integrated tool.
• These are being used more in web services to deliver a richer and more interactive experience to users.
• The following are a few editors that are used to create mashups:– Google Mashup Editor – Openkapow – Microsoft Popfly Mashup Editor
Secure Systems Research Group - FAU22
Google Mashup Editor
• Google Mashup Editor is an AJAX development framework and a set of tools that enable developers to quickly and easily create simple web applications and mashups with Google services like Google Maps and Google Base.
Secure Systems Research Group - FAU23
Openkapow
• Openkapow is an open service platform which all you to build your own services (called robots) and deploy them.
• The robots accesses web sites and allows the use of data, functionality and even the user interface of other web sites.
Secure Systems Research Group - FAU24
Microsoft Popfly Mashup Editor
• Microsoft Popfly Mashup Editor is a tool for creating and sharing mashups built on Silverlight technology.
• In addition to its tools for developers, Popfly is offering some consumer-facing applications that allow users to create web pages and build custom widgets to their blogs and social networking profiles.
Secure Systems Research Group - FAU25
Web Service Patterns
• XACML Authorization– Enables an organization to represent authorization
rules in a standard manner.• XACML Access Control Evaluation
– This pattern decides if a request is authorized to access a resource according to policies defined by the XACML Authorization pattern.
• WSPL– Enables an organization to represent access control
policies for its web services in a standard manner.– It also enables a web services consumer to express
its requirements in a standard manner.
Secure Systems Research Group - FAU26
Patterns• Enumerate existing patterns to define or build on existing ones.• These patterns are for Security only
Secure Systems Research Group - FAU27
Conclusion
• Many of the web service products and tools discussed only conform to a few of the web services standards.
• It is difficult to select the right web services product or tool.
• Many companies do not explicitly state the features and standards which are supported by their products or tools.It is time consuming to acquire the standards that a tool or product conforms to.
• Many products are not compliant with the WS-Reliability standard and many tools do not implement it.
Secure Systems Research Group - FAU28
Conclusion….• Patterns are used to solve recurrent general problems in a
given context, they are flexible in how they can be used in different products and tools of varying purposes.
• A possible solution in overcoming this problem is using web service patterns in the implementation and design of web services products and tools.
• More web service patterns could be written to conform to a combination of web service industry standards
• Easier for customers to make informed decisions regarding a particular tool based on the web service patterns it implements.
Secure Systems Research Group - FAU29
Conclusion
• A pattern can be specialized or generalized to suit the need of a product or tool.
• Create composite web service patterns which can be used to implement many web service standards.
• Web service products can be implemented using such composite patterns.
• Easier for web services developers to implement them into web service products and tools which could streamline the integration of more web service standards into web service products and tools