Securing Java Web Services

Public Training Price : $2595 per student
Private Training Price : Request a quote
Print this outline
Enroll in this Public Class

 

 

 

Securing Java Web Services Training Class Summary

This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look at XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity. These approaches do overlap, and through our primary case studies we present a single, coherent story of assuring confidentiality, integrity and non-repudiation, user authenticity, and proper request authorization with a blend of policy-driven WS-Security, SAML, and even some application-coded digital signature. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity.

Audience: Experienced Java web service developers.

Prerequisites: Java programming experience is required. Experience developing Java web services is required. Familiarity with XML and XML Schema is recommended.

Class Length: 5 days

Securing Java Web Services Training Class Objectives
  • Describe the unique challenges in securing interoperable XML-based services.
  • Apply W3C standards to digitally sign and encrypt XML fragments and documents.
  • Understand the importance of the WS-Security specifications to interoperably secure messaging.
  • Use state-of-the-art tools to configure or implement signature, encryption and various WS-Security header content for Java web services.
  • Drive such WSS implementations from WS-SecurityPolicy documents.
  • "Vouch for" a user across domains to achieve request authorization without sharing credentials.
  • Exchange security information between servers, applications, and components, using SAML assertion and protocol models.
  • Describe the role of XACML in policy management and decision-making.
  • Build web applications that participate in SAML federation and single sign-on.
Securing Java Web Services Training Class Detailed Outline
  1. Securing the Service-Oriented Enterprise
    • Security for Web Services
    • Threats
    • Goals
    • Scenarios and Solutions
    • Solution Levels
    • The World-Wide Web Consortium
    • OASIS
    • The Java Enterprise Platform
    • Scenario: Secure Two-Party Conversation
    • Transport Security
    • Scenario: Secure Multi-Party Conversation
    • Message Security
    • Cryptography
    • XML Cryptography
    • WS-Security
    • WS-Policy and WS-SecurityPolicy
    • Scenario: Sharing Secure Information
    • SAML
    • XACML
    • Scenario: Multiple User Realms
    • Subjects and Confirmation Methods
    • Scenario: Single Sign-On
    • Identity-Management Solutions
    • The WS-Federation Stack
    • The Liberty Alliance Standards
    • Relative Strengths
    • The Emergence of SAML
    • A Common Approach
    • The WS-I Basic Security Profile
  2. Transport Security
    • Use Case: Secure Transport
    • HTTP Authentication Schemes
    • HTTP BASIC
    • HTTP DIGEST
    • HTTP BASIC and DIGEST for Web Services
    • Securing URLs
    • JAX-WS Support
    • Axis Support
    • The SOAPSniffer
    • HTTPS
  3. XML Signature
    • Use Case: Non-Repudiation
    • Private-Key Encryption
    • Public-Key Encryption
    • SSL and Secure Key Exchange
    • Hashing
    • Digital Signatures
    • XML Signature
    • UML Scheme Diagrams
    • XML Signature Model
    • Signature Process
    • Canonical XML
    • Signature Styles
    • <Reference>
    • <SignedInfo>
    • <Signature>
    • The Java Cryptography Architecture
    • Keystores
    • keytool
    • Why Keys Aren’t Enough
    • X.509 Certificates
    • X.500 Distinguished Names
    • Certificate Chains
    • Certificate Authorities
    • Obtaining a Signed Certificate
    • Java XML Digital Signature API
    • Object Model
    • Providers and Factories
    • XML Contexts
    • Steps to Sign and Verify XML Content
    • Working with SOAP Headers
    • Handling SOAP Headers in JAX-WS
    • Handler<T> and Extended Interfaces
    • Configuration
    • Processing Model
    • The SOAPPad
    • The SOAPSneak
  4. XML Encryption
    • Use Case: Confidentiality
    • XML Encryption
    • <EncryptedData> Types
    • The Java Cryptography Extensions
    • The Legion of the Bouncy Castle
    • JSR106
    • Apache XML Security
    • Object Model
    • A Problem for SOAP Messages
    • Key Wrapping
    • Choosing Algorithms
    • Choosing Key Sizes
  5. WS-Security
    • Use Case: Secure Message Exchange
    • Use Case: User Login
    • The WS-Security Specifications
    • Namespaces
    • The <wsse:Security> Header Entry
    • Security Token Types
    • ID References
    • The <wsu:Timestamp>
    • The <wsse:UsernameToken>
    • The <wsse:BinarySecurityToken>
    • The <wsse:SecurityTokenReference>
    • Signature and Encryption
    • SAML
    • Container vs. Component
    • The XML Web Services Security Project
    • The XWSSProcessor Interface
    • Configuration Schema
    • JAAS
    • Interface Model
    • The CallbackHandler Interface
    • XWSS Callback Types
    • Where to Embed XWSS Processing
    • The Healthcare Case Study
    • WSS4J
    • It’s How You Handle It
    • Public Key Infrastructure
    • Robust Authentication Tokens
    • Responsibilities
  6. WS-Security Policy
    • Two Problems
    • Use Case: Sharing Metadata
    • WS-Policy
    • Policy Model
    • Normalized Form
    • Compact Form
    • Policy Attachment
    • Target Points to Policy
    • Policy/Attachment Points to Target
    • Policy Scopes
    • WS-SecurityPolicy
    • Assertion Types
    • Protection Assertions
    • Token Assertions
    • Supporting and Endorsing Tokens
    • <AlgorthmSuite>
    • <Layout>
    • Bindings
    • <SymmetricBinding>
    • <AsymmetricBinding>
    • WSIT and Project Metro
    • Private "Policies"
    • Implementing Security Policies
    • Managing Usernames and Passwords
    • Managing Certificates
    • Integrating Security Frameworks
  7. Introduction to SAML
    • History
    • Specifications
    • Purpose
    • Scope
    • Assertions
    • Protocol
    • Bindings
    • Profiles
    • Java Tools for SAML Messaging
    • Configuring OpenSAML
    • SAML and Web Services
  8. SAML Assertions
    • Use Case: "Vouching for" a User
    • Schema and Namespaces
    • The <Assertion>
    • Extensibility
    • The <Issuer> and the NameIDType
    • <Conditions>
    • The <Subject>
    • The <NameID>
    • The <SubjectConfirmation>
    • Confirmation Methods
    • The <AuthnStatement>
    • The <AuthnContext>
    • Authentication Contexts
    • The <AttributeStatement>
    • Attribute Profiles
    • The <AuthzDecisionStatement>
    • <Action>s and <Evidence>
    • The WS-Security SAML Token Profile
    • Open SAML Assertions Model
    • OpenSAML, XML, and the DOM
    • Creating XML Objects
    • Marshalling and Unmarshalling
  9. SAML Protocol
    • Use Case: Back-Channel Queries
    • The Point of the Protocol
    • Requests, Queries, and Responses
    • Request Model
    • Response Model
    • <Status> and <StatusCode>
    • Standard Status Codes
    • Query Types and Responses
    • The <AuthnQuery>
    • <AttributeQuery>
    • <AuthzDecisionQuery>
    • OpenSAML Protocol Model
    • SAML and XML Signature
    • SAML and XML Encryption
    • SAML as the Substance
    • Other Request and Response Types
  10. XACML
    • Use Case: Back-Channel Authorization
    • Use Case: Sharing Authorization Policies
    • XACML
    • <Target>
    • <PolicySet>
    • <Policy>
    • <Rule>
    • Combining Algorithms
    • Expressing Target Data
    • Functions
    • Policy Context
    • <Request>
    • <Response> and <Result>
    • XACML vs. SAML
    • The SAML Profile of XACML
    • Authorization Decisions via XACML
    • XACML Policies via SAML
  11. Securing Federated Services
    • Federated Services
    • Publish, Find, Bind…Execute!
    • UDDI
    • WS-BPEL
    • The Trust Problem
    • WS-Trust
    • The Security Token Service
    • Use Cases
    • Bindings/Actions
    • Messaging Model
    • Daddy, Where Do Keys Come From?
    • WS-SecureConversation
    • <sp:SecureConversationToken>
    • Secure Conversation Metrics
    • WS-Federation
    • Value-Add
  12. SAML Bindings
    • Use Case: Speaking "Through" the Browser
    • Making SAML Go
    • Bindings
    • The SOAP Binding
    • SAML over HTTP
    • The Browser as a Messenger
    • The HTTP Redirect Binding
    • The HTTP POST Binding
    • The HTTP Artifact Binding
    • The PAOS Binding
    • The SAML URI Binding
  13. Federated Identity
    • Now, Where Were We …?
    • What is a Federation?
    • Problems for Identity Federation
    • The WS-Federation Stack
    • The Liberty Alliance Standards
    • SAML 2.0 Federations
    • Profiles
    • Simple Single Sign-On
    • Accounting Linking and Persistent Pseudonyms
    • Transient Pseudonyms
    • Name ID Mapping
    • Federation Termination
    • OpenSSO
    • Fedlets
    • Configuring Fedlets