Java Security Web Services Security (Overview)Java 2 CryptographyJCA + JCEJCA + JCE PrinciplesSlide 5ProvidersProviders ImplementationProvidersConfiguration and ManagementEngine and SPISlide 11Slide 12Enterprise Security for Web ServicesWeb ServiceXMLSOAPSlide 17Security TechnologiesXML SignatureXML Signature StructureXML Signature: Enveloping SignatureXML Signature: Enveloped SignatureXML Signature: Detached SignatureSlide 24XML Encryption StructureXML Encryption: ExampleSlide 27SAMLSAML - scenarioSlide 30SAML – how it worksSAML ExampleSAML protocolSAML Authorization/Attribute AssertionsSAML ArchitectureSAML ProtocolSlide 37Slide 38SAML BindingWS-SecurityHTTP Transport Security Versus Message SecurityHTTP-TS Pros and ConsMessage Security Pros and ConsWeb Services Security StackJava Security Web Services Security (Overview)Lecture 9Java 2 CryptographyJava provides API + SPI for crypto functionsJava Cryptography ArchitectureSecurity related core classesAccess control and cryptographyJava Cryptography ExtensionOther core classesMessage digest, digital signatures, certificate managementKey exchange, MACJCA + JCEEngineAbstract cryptographic service: E.g., message digest, digital signaturesTo provide cryptographic operationsTo generate or supply the crypto materialTo generate and manage data objects (certificates or keys – keystores)Use instances of engine class for crypto operationsAlgorithmImplementation of an engine: Eg. MD5 for MessageDigestProvider(set of) packages that supply concrete implementation of a subset of the cryptographic services (DS, MD, etc.)JCA + JCE PrinciplesProvider based architectureVendors can register implementations of algorithmsProviders can be configured declaratively so the application code does not need to changeAllows different implementations to be found at runtimeImplementation independenceImplementation independenceAlgorithm IndependenceAlgorithm IndependenceEngine ClassSPI class implemented by PsImplementations expose the same APIMessageDigest.getIntance(MD5)JCA + JCE PrinciplesAlgorithm ExtensibilityAlgorithm ExtensibilityImplementation interoperabilityImplementation interoperabilityVarious implementation can work with one anotherUse one another’s keysVerify one another’s messagesNew algorithms can be easily plugged inHas to be compliant with the MessageDigest APIProvidersSPI isKey to pluggability, extensibility and module independenceIt is a set of Java-language interfaces and abstract classes for cryptographic servicesA Provider is a pluggable moduleProvides concrete implementations of some SPI methodsjava.security and javax.crypto and their subpackages contain many SPI interfaces that JCA and JCE providers can implementProviders ImplementationConcept of provider classProvider class in java.security – abstract classMust be subclassed by providersConstructor sets the values to help look up algorithmsmain provider – if it implements all the SPI methodsEvery provider should have one master class –must have a default constructor so as to be loaded when JVM starts upProperty/value (SPI label, corresponding class that implements it)For cryptographic servicegetInstance() of the corresponding Engine class is called, optionally Provider is indicatedProvidersgetInstance() relies on java.security.Security class to search the registered providers in java.security filesecurity.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPathConfiguration and ManagementCopy the provider pakckageJAR file in application/boot/extension class pathConfigure the ProviderStatic: in java.security file; order is importantEffective in Java runtime – read once.Dynamic: addProvider() insertProvederAt()To change position – removeProvider() then addNeed permission “insertProvider.name”Engine and SPIEngine classes are the interfaces between the user code and the implementationsImplementations are found at runtimeEngine and SPIThe engine class calls the SPI class methodsSPI class method names begins with “engine”Implementation of abstract SPI done by providersEncapsulated as private fieldEnterprise Security for Web ServicesXMLSimplicity and flexibilityFacilitates B2B messagingSecurity is a big concernStructured semantics and schema-driven natureXML security technologies are availableEncryption Elements, sectionsDigital signaturesAll or parts – by one or more entitiesAccess controlWeb ServiceWeb serviceIs a an interface that describes a collection of network-accessible operations based on open internet standardsPotential to enable application integration at a higher level of the protocol stack based on Web Services standardsXMLSimple Object Access Protocol (SOAP)Web Services Description Language (WSDL)Universal Description, Discovery and Integration (UDDI)XMLXML Structured semantics and schema driven naturePolicies can be expressed in XML by orgs for Changed back to platform specific enforcement mechanismEncryptions can be employedSections, all parts signed, etc.Trading Partner Agreements, SAML and XACMLSOAPSimple, lightweight and extensible XML-based mechanism for exchanging structured data between network applicationsConsists of:An envelop What is in the message and who should deal with itA set of encoding rulesSerialization mechanism that can be used to exchange instances of application defined data typesCan be used in (re-enveloped) with other protocols such as HTTPSOAPIt supports modular architectureAllows defining the following in separate documentsWS Addressing Specification (WS-Addressing)WS Security Specification (WS-Security) A SOAP envelope is defined inEnvelope XML elementConsists of two parts:Header: adds features to the messagesMeta information can be added to the messageE.g., transaction IDs, message routing information, message securityBody: mechanism for exchanging informationSecurity TechnologiesXML SignatureValidation of the messages and non-repudiationSAMLAuthM + Security Srvices MLAuthentication + Authorization profile informationCommon language for sharing of security
View Full Document