IntroductionWeb Services ArchitectureCommunicationSOAP MessagesEnvelopeHeaderBodySOAP MessageSecurity in wEb ServicesXML Digital SignaturesXML EncryptionBasic AuthenticationImplementing Security Within WebSphereSummaryReferencesAppendixXML Digital Signature ExampleXML Encryption ExampleBasic Authorization ExampleWEB SERVICESECURITYADVANCED SYSTEM SECURITY DESIGN U N I V E R S I T Y O F C O L O R A D O , C O L O R A D OS P R I N G SM A R I A L I Z A R R A G AC S 6 9 1TABLE OF CONTENTSIntroduction...................................................................................................................................................................3WEB SERVICES ARCHITECTURE.........................................................................................................................3COMMUNICATION....................................................................................................................................................4SOAP MESSAGES........................................................................................................................................................4SECURITY IN WEB SERVICES...............................................................................................................................5XML DIGITAL SIGNATURES........................................................................................................................................6XML ENCRYPTION......................................................................................................................................................7BASIC AUTHENTICATION.............................................................................................................................................8IMPLEMENTING SECURITY WITHIN WEBSPHERE.......................................................................................8SUMMARY...................................................................................................................................................................8REFERENCES..............................................................................................................................................................9APPENDIX..................................................................................................................................................................10XML DIGITAL SIGNATURE EXAMPLE.......................................................................................................................10XML ENCRYPTION EXAMPLE...................................................................................................................................12Basic Authorization Example...................................................................................................................................142.........WEB SERVICE SECURITYADVANCED SYSTEM SECURITY DESIGNINTROD U C T IO NAn important benefit of web services is being able to programmatically accessremote data easily. There is no need for human intervention. If the service isbetween two businesses, they will most likely want to share private information.They will want to limit access to the data, they will want on ensure the data doesnot get corrupted, and they will not want others to see the data as it passes overthe network. Today’s firewalls are XML aware. Web services can take advantageof XML security standards to implement security within a web service.To begin this discussion, I first briefly discuss the web service architecture andhow the communication process works. Then I will get in to the specifictechniques that can be used to secure the service. WE B SE RV IC E S AR C H IT E C T UR EThere are three entities that communicate with each other during the lifecycleof a web service. These entities are depicted in figure 1. They use HTTP tocommunicate with each other. There are 3 communication links—server/client,server/registry, and client/registry. Security can be a concern on all links. - Figure 1. Web Service ArchitectureAll links use Simple Object Access Protocol, SOAP, messages embedded intoHTTP. Security is enabled in the SOAP message through XML securitytechnologies. 3C OM M U NI C ATIONWeb services are transmitted to the server using SOAP messages over HTTP.With a traditional network layer firewall, if the user was authenticated at thefirewall, the message would be routed to the web server, as shown in figure 2.However, if a service had limited access, the firewall was not able to read into theSOAP message to determine whether the user had privileges to use the service ornot. Any user who made it through the firewall was able to use the service. TheSOAP server does not handle security. - Figure 2. Web Service Communication Through a Traditional FirewallNowadays, firewalls are XML aware and can look at the application layer.SOAP messages adhere to a standard XML format to transmit information. Thismakes SOAP messages a perfect vehicle for supplying the security informationnecessary for the XML firewall to determine whether to authorize a client to use aservice. Only those authorized to utilize the service are forwarded to the SOAPserver. Let’s take a look at the structure of the SOAP message.SOAP MESSAGESThe SOAP message contains three parts—an envelope, a header, and the body.The header is optional. The header and the body go into the envelope. A messagecan have attachments. Video or image files can be sent as attachments. Let’s takea look at the first three elements a little closer. EnvelopeThe envelope must contain the opening and closing envelope tags. Thesetags make it a SOAP message. The attribute xmlns: defines what namespace touse. The envelope must contain a soap envelope namespace. In this case, it is:http://schemas.xmlsoap.org/soap/envelope This is what a typical soap envelope looks like:<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> ...4.........</soapenv:Envelope> HeaderThe header is an optional element. There can be more than one