Slide 1OutlineWeb Services DefinitionService Oriented Architectures (SOA)Service Oriented ArchitecturesWeb Services Description LanguageUDDISOAPWDSL with XMLSecuritySlide 11Slide 12Security: Examples XACML, SAML, WSSOASISFederated IdentityDirectionsDr. Bhavani ThuraisinghamOctober 2006Trustworthy Semantic WebsLecture #16: Web Services and Security16-201/14/19 08:04 Outline0Web Services 0Service Oriented Architectures0Web Services Description Language0UDDI0SOAP0WSDL with XML0Security 0OASIS0Federated identity0Directions0http://www.service-architecture.com/articles/index.html16-301/14/19 08:04 Web Services Definition0Web Services refers to the technologies that allow for making connections. 0Services are what you connect together using Web Services.0A service is the endpoint of a connection. 0Also, a service has some type of underlying computer system that supports the connection offered. 0The combination of services - internal and external to an organization - make up a service-oriented architecture.16-401/14/19 08:04 Service Oriented Architectures (SOA)0A service-oriented architecture is essentially a collection of services. 0These services communicate with each other. 0The communication can involve either simple data passing or it could involve two or more services coordinating some activity. Some means of connecting services to each other is needed.0Service-oriented architectures are not a new thing. The first service-oriented architecture for many people in the past was with the use DCOM or Object Request Brokers (ORBs) based on the CORBA specification. 0If a service-oriented architecture is to be effective, we need a clear understanding of the term service. 0A service is a function that is well-defined, self-contained, and does not depend on the context or state of other services16-501/14/19 08:04 Service Oriented Architectures0The technology of web services is the most likely connection technology of service-oriented architectures. 0Web services essentially use XML Technology create a robust connection.0A service consumer sends a service request message to a service provider 0The service provider returns a response message to the service consumer. 0The request and subsequent response connections are defined in some way that is understandable to both the service consumer and service provider.0A service provider can also be a service consumer.16-601/14/19 08:04 Web Services Description Language0The Web Services Description Language (WSDL) forms the basis for Web Services. The steps involved in providing and consuming a service are:-A service provider describes its service using WSDL. This definition is published to a directory of services. The directory could use Universal Description, Discovery, and Integration (UDDI). Other forms of directories can also be used. -A service consumer issues one or more queries to the directory to locate a service and determine how to communicate with that service. -Part of the WSDL provided by the service provider is passed to the service consumer. This tells the service consumer what the requests and responses are for the service provider. -The service consumer uses the WSDL to send a request to the service provider. -The service provider provides the expected response to the service consumer.16-701/14/19 08:04 UDDI0The UDDI registry is intended to eventually serve as a means of "discovering" Web Services described using WSDL . 0The idea is that the UDDI registry can be searched in various ways to obtain contact information and the Web Services available for various organizations. 0UDDI registry is a way to keep up-to-date on the Web Services your organization currently uses 0Alternative to UDDI is ebXML Directory16-801/14/19 08:04 SOAP0All the messages are sent using SOAP. (SOAP at one time stood for Simple Object Access Protocol; Now, the letters in the acronym have no particular meaning .) 0SOAP essentially provides the envelope for sending the Web Services messages. 0SOAP generally uses HTTP , but other means of connection may be used. 0HTTP is the familiar connection we all use for the Internet. 0It is the pervasiveness of HTTP connections that will help drive the adoption of Web Services.16-901/14/19 08:04 WDSL with XML0WSDL uses XML to define messages. 0XML has a tagged message format. 0Both the service provider and service consumer use these tags. 0In fact, the service provider could send the data in any order.0The service consumer uses the tags and not the order of the data to get the data values.16-1001/14/19 08:04 Security0Security and authorization is a important topic with Web Services. 0In fact, security and authorization specifications are currently in flux. This is often the reason cited for not proceeding with any work related to Web Services. Therefore, we need experimentation. 0Much can be done without having the specifications complete. Nearly all organizations should be able to find some areas to experiment with Web Services that have low requirements for security and authorization.16-1101/14/19 08:04 Security0Security and authorization specifications include:-eXtensible Access Control Markup Language (XACML)-eXtensible Rights Markup Language (XrML)-Security Assertion Markup Language (SAML)-Service Protection Markup Language (SPML)-Web Services Security (WSS)-XML Common Biometric Format (XCBF)-XML Key Management Specification (XKMS)16-1201/14/19 08:04 Security0Firewalls-Specialized XML firewalls offer the promise of protecting internal systems when using Web Services. -Traditional firewalls offer protection at the packet level and do not examine the contents of messages.- XML firewalls, on the other hand, examine the contents of messages. This includes the SOAP headers and the XML content. -They are designed to permit authorized content to pass through the firewall.16-1301/14/19 08:04 Security: Examples XACML, SAML, WSS0XACML (OASIS Spec)-eXtensible Access Control Markup Language (XACML) provides fine grained control of authorized activities, the effect of characteristics of the access requestor, the protocol over which the request is made, authorization based on classes of activities, and content introspection.0SAML (OASIS Spec)-It is an XML framework for exchanging authentication and authorization information. It is used with WSS0WSS (OASIS Spec)-It describes enhancements to SOAP messaging in order to provide quality of protection through message integrity, and single