Trustworthy Semantic Webs Lecture 16 Web Services and Security Dr Bhavani Thuraisingham October 2006 01 14 19 08 04 16 2 Outline 0 Web Services 0 Service Oriented Architectures 0 Web Services Description Language 0 UDDI 0 SOAP 0 WSDL with XML 0 Security 0 OASIS 0 Federated identity 0 Directions 0 http www service architecture com articles index html 01 14 19 08 04 16 3 Web Services Definition 0 Web Services refers to the technologies that allow for making 0 0 0 0 connections Services are what you connect together using Web Services A service is the endpoint of a connection Also a service has some type of underlying computer system that supports the connection offered The combination of services internal and external to an organization make up a service oriented architecture 01 14 19 08 04 16 4 Service Oriented Architectures SOA 0 A service oriented architecture is essentially a collection of services 0 These services communicate with each other 0 The communication can involve either simple data passing or it could involve two or more services coordinating some activity Some means of connecting services to each other is needed 0 Service oriented architectures are not a new thing The first service oriented architecture for many people in the past was with the use DCOM or Object Request Brokers ORBs based on the CORBA specification 0 If a service oriented architecture is to be effective we need a clear understanding of the term service 0 A service is a function that is well defined self contained and does not depend on the context or state of other services 01 14 19 08 04 16 5 Service Oriented Architectures 0 The technology of web services is the most likely connection 0 0 0 0 0 technology of service oriented architectures Web services essentially use XML Technology create a robust connection A service consumer sends a service request message to a service provider The service provider returns a response message to the service consumer The request and subsequent response connections are defined in some way that is understandable to both the service consumer and service provider A service provider can also be a service consumer 01 14 19 08 04 16 6 Web Services Description Language 0 The Web Services Description Language WSDL forms the basis for Web Services The steps involved in providing and consuming a service are A service provider describes its service using WSDL This definition is published to a directory of services The directory could use Universal Description Discovery and Integration UDDI Other forms of directories can also be used A service consumer issues one or more queries to the directory to locate a service and determine how to communicate with that service Part of the WSDL provided by the service provider is passed to the service consumer This tells the service consumer what the requests and responses are for the service provider The service consumer uses the WSDL to send a request to the service provider The service provider provides the expected response to the service consumer 01 14 19 08 04 16 7 UDDI 0 The UDDI registry is intended to eventually serve as a means of discovering Web Services described using WSDL 0 The idea is that the UDDI registry can be searched in various ways to obtain contact information and the Web Services available for various organizations 0 UDDI registry is a way to keep up to date on the Web Services your organization currently uses 0 Alternative to UDDI is ebXML Directory 01 14 19 08 04 16 8 SOAP 0 All the messages are sent using SOAP SOAP at one time 0 0 0 0 stood for Simple Object Access Protocol Now the letters in the acronym have no particular meaning SOAP essentially provides the envelope for sending the Web Services messages SOAP generally uses HTTP but other means of connection may be used HTTP is the familiar connection we all use for the Internet It is the pervasiveness of HTTP connections that will help drive the adoption of Web Services 01 14 19 08 04 16 9 WDSL with XML 0 WSDL uses XML to define messages 0 XML has a tagged message format 0 Both the service provider and service consumer use these tags 0 In fact the service provider could send the data in any order 0 The service consumer uses the tags and not the order of the data to get the data values 01 14 19 08 04 16 10 Security 0 Security and authorization is a important topic with Web Services 0 In fact security and authorization specifications are currently in flux This is often the reason cited for not proceeding with any work related to Web Services Therefore we need experimentation 0 Much can be done without having the specifications complete Nearly all organizations should be able to find some areas to experiment with Web Services that have low requirements for security and authorization 01 14 19 08 04 16 11 Security 0 Security and authorization specifications include eXtensible Access Control Markup Language XACML eXtensible Rights Markup Language XrML Security Assertion Markup Language SAML Service Protection Markup Language SPML Web Services Security WSS XML Common Biometric Format XCBF XML Key Management Specification XKMS 01 14 19 08 04 16 12 Security 0 Firewalls Specialized XML firewalls offer the promise of protecting internal systems when using Web Services Traditional firewalls offer protection at the packet level and do not examine the contents of messages XML firewalls on the other hand examine the contents of messages This includes the SOAP headers and the XML content They are designed to permit authorized content to pass through the firewall 01 14 19 08 04 16 13 Security Examples XACML SAML WSS 0 XACML OASIS Spec eXtensible Access Control Markup Language XACML provides fine grained control of authorized activities the effect of characteristics of the access requestor the protocol over which the request is made authorization based on classes of activities and content introspection 0 SAML OASIS Spec It is an XML framework for exchanging authentication and authorization information It is used with WSS 0 WSS OASIS Spec It describes enhancements to SOAP messaging in order to provide quality of protection through message integrity and single message authentication These mechanisms can be used to accommodate a wide variety of security models and encryption technologies 01 14 19 08 04 16 14 OASIS 0 Organization for the Advancement of Structured Information Standards OASIS 0 OASIS is a not for profit global consortium that drives the development convergence and