advance topics on web services

8/8/2019 Advance Topics on Web Services

1/12

A Secure web service, where communications are encrypted Page 1

Advance Topics in Web Services:A Secure web service, wherecommunications are encrypted

NANDKUMAR KOLLARA: - [email protected] NISHANK GUPTA: - [email protected]

RAMAN PAL: - [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/12


1. What is a Web service?As per W3C the definition for a Web Service is: -A web service is a software system designed tosupport interoperable machine-to-machine interaction over a network. It has an interface described in amachine process able format (specifically WSDL). Other systems interact with the web service in amanner prescribed by its description using SOAP messages, typically conveyed using HTTP with an

XML serialization in conjunction with other Web- related standards. Business prospective of Web Service: - A web service is a business process or step within a businessprocess that is made available over a network to internal and/or external business partners to achieve abusiness goal. The key is ease of integration, particularly between organizations, allowing businesssystems to be built quickly by combining Web Services built internally with those of business partners.

Technical prospective of Web Service: - A web service is nothing more than a collection of one or more related operations that are accessible over a network and are described by a service description.

SERVICE ORIENTED ARCHITECTURE for Web Service

Any SOA contains three roles: a Service Requestor, a Service Provider, and a Service Registry.

A Service Provider is responsible for creating a service description.

A Service Requestor is responsible for binding a service description published to one or more serviceregistries and is responsible for using service descriptions to bind to or invoke Web Service hosted byservice providers.

A Service Registry is responsible for advertising Web Service descriptions published to it by serviceproviders and for allowing service requestors to search the collection of service descriptions containedwithin the service registry.

SOA and Web Services: Related but Distinct : - These two terms are distinct. SOA is an architecturalconcept, an approach to building systems that focuses on a loosely coupled set of components that can bedynamically composed. Web Service, on the other hand, is an approach to building an SOA. Web Serviceprovides a standard for a particular set of XML- based technologies that can be used to build SOA.

ServiceRegistry

ServiceProvider

ServiceRequester

FIND

PUBLISH

BIND


3/12


Web Service Description Language (WSDL)It is used to describe the message syntax associated with the invocation and response of a Web Service.Essentially, a WSDL description describes three fundamental properties of a Web Service:

1. What a Web Service does The operations (methods) the service provides, and the data(arguments and returns) needed to invoke them.

2. How a Service is accessed Details of the data formats and protocols necessary to access theservices operations.

3. Where a Service is located Details of the protocol-specific network address, such as a URL.

2. Why we need security in web service?

There is a need for security to Safeguard Web Service from Outsiders (Hackers/Malicious Users/BusinessOpponents)

1. They might tamper the content of SOAP message or attachment. For Eg. : - Lets talk about the

Weather Report Web Service Hosted by the Foreca and a web service client like British Airways.In this scenario the web service is dealing with a very critical data of weather report for theoperation of flights and any mistake might lead to a big disaster. In such scenario when themessages are of critical importance the Web Services Security comes into play.

2. A Non-Authentic/Malicious user or an attacker might send fake message. For Eg. : - Let's talk about the Bank debit card web service hosted by the Barclay's Bank and web service client likeAmazon. In this scenario a hacker can generate the fake transaction (purchase details) and cangenerate fake SOAP messages and send them to Barclay's bank Web Service to get the moneyfrom Some-one's A/c into his a/c.

3. Business Competitors/Opponents some time opt for negative business strategies. They might tryto overload the web service through DOS attack. In such scenario the actual server running theweb service incurs heavy losses due to unavailable downtime. For Eg. : - If a banking web service

is attacked with DOS attack and been brought down then during the period of unavailability thebank will make huge losses.

In Short we need Confidentiality, Integrity,Authentication, Authorization and Non-repudiation.

1. Confidentiality guarantees that exchanged information is protected against eavesdroppers.2. Integrity refers to the assurance that a message isnt modified accidentally or deliberately in

transit. 3. Authentication guarantees that access to e-business applications and data is restricted to those

who can provide appropriate proof of identity.4. Authorization is a process that decides whether an entity with a given identity can access a

particular resource. 5. Non-repudiation guarantees that the messages sender cant deny having sent it.


4/12


WS SECURITY SPECIFICATION

1. WS-Security defines how to include security tokens in SOAP messages and how to protectmessages with digital signatures and encryption.

2. WS-Policy provides a framework for describing Web Services meta-information. Based on theframework, domain-specific languages can be defined, such as WS-Security Policy.3. WS-Trust prescribes an interaction protocol to access Security Token Services.4. WS-Secure Conversation defines a security context with which parties can share a secret key to

sign and encrypt parts of messages efficiently.5. WS-Federation provides a framework for federating multiple security domains.6. WS-Privacy provides a framework for describing the privacy policy of Web Services.7. WS-Authorization defines how to exchange authorization information among parties. The

authorization is defined as a security token.

WS-Security IN SOAP

WSSE

Security Token

Key Info

Signature

WS Security in SOAP


5/12


1. WSS information stored in SOAP security header.2. One or more security tokens carried in header to identify the transaction.3. XML Signature blocks provide integrity and link the identity to the transaction.4. Key information within the security token may be used.

5. Privacy provided using XML encryption.

Why WS-SECURITY OVER SSL/TLS OR HTTP/S?

1. End to End Security. 2. Exchange security info. From one domain to another.

Web Service-Security is not meant to replace any existing protocol, Insteadit provides a unified model.

3. ToolkitThe tools used are as follows:

1. Eclipse Galileo IDE2. Apache Tomcat Server Version 6.0.X3. Apache Axis2 Version 1.34. Apache Rampart Version 1.35. Java KeyTool6. TCP MON

Eclipse Galileo IDEEclipse is a universal tool platform - an open, extensible IDE for anything, but nothing in particular.The real value comes from tool plug-ins that "teach" Eclipse how to work with things - Java files,Web content, graphics, video - almost anything you can imagine. Eclipse allows you to independentlydevelop tools that integrate with other people's tools so seamlessly, you won't know where one toolends and another starts. The very notion of a tool, as we know it, disappears completely.

APACHE TOMCAT SERVER 6.0.XApache Tomcat is a servlet container developed by the Apache Software Foundation (ASF). Tomcatimplements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems,and provides a "pure Java" HTTP web server environment for Java code to run.

Implements the Servlet 2.5 and JSP 2.1 specifications. Support for Unified Expression Language 2.1. Designed to run on Java SE 5.0 and later. Reduced garbage collection, improved performance and scalability. Native Windows and Unix wrappers for platform integration. Faster JSP parsing.

APACHE AXIS2 1.3verApache Axis2 is a core engine for Web services. It is a complete re-design and re-write of the widely

used Apache Axis SOAP stack. Implementations of Axis2 are available in Java and C. Axis2 not onlyprovides the capability to add Web services interfaces to Web applications, but can also function as a


6/12


standalone server application. Axis2 has support for REST by just removing the SOAP headers bothon the client and on the server. Axis2 has support for Spring Framework.

APACHE RAMPART 1.3ver

Apache Rampart is an implementation of the WS-Security standard for the Axis2 Web servicesengine by the Apache Software Foundation. It supplies security features to web services byimplementing the following specifications

WS-Security WS-Security Policy WS-Trust WS-Secure Conversation

JAVA KEYTOOLJava (JDK) has a key and certificate management utility called as keytool. It manages a keystore

(database) of cryptographic keys, X.509 certificate chains, and trusted certificates. It allows users toadminister their own public/private key pairs and associated certificates for use in self-authentication(where the user authenticates himself/herself to other users/services) or data integrity andauthentication services, using digital signatures. It also allows users to cache the public keys (in theform of certificates) of their communicating peers. Keytool also enables users to administer secretkeys used in symmetric encryption/decryption (e.g. DES). Keytool stores the keys and certificates in akeystore .

4. Implementation

Creation of Web ServiceJava SE Development Kit (JDK) 6 Update 17 is used for java development. Eclipse Galileo is used asthe IDE. If not already installed, download Web Tools Platform (WTP) project files. It extends theEclipse functionality for developing Web and Java EE applications. Apache Tomcat 6 basedistribution is downloaded and under the Eclipse preferences, the path of the Server is configured toTomcat directory. Now in the preferences window, there will be a web services option for configuringAxis2 preferences. Axis2 Standard Binary Distribution 1.3 is downloaded and extracted to a directory.Axis 2 preferences window under Eclipse is configured to point to this directory. Everything is left asdefault.

1. Create a new dynamic web project under Eclipse.2. Under the configuration, Axis2WS Web Service is selected. Now click Finish.


7/12


This will create the dynamic web project. The business logic used is the Converter.java whichconverts temperature from Celsius to Fahrenheit and vice versa.

3. Add the Converter.java to the project. Preserve the package while adding. Build the project.

Right click the Converter.java and select Web Service option to create the Web Service. It ispossible to create the web service client simultaneously or it can be created later as well.4. Configure the options as shown below. Click Next. Select Generate a default services.xml

file. Click next. On the next page, select start server. Now the web service has started. Click next.

Now the client side is being configured. The port name will be selected as SOAP12 version.Everything else will be left as default. Click Finish.

5. The code for testing the service called as ConverterClient.java is added in the Web ServiceClient project.


8/12


The two lines of codes starting with System are used to configure the axis2.xml and the respectivemodules needed for the client to encrypt the soap message.

6. To invoke the service, the ConverterStub.java is created. To monitor the soap messages sendto and fro to the web service, the port for invoking is changed from 8080 to 8888 so thatTcpmon can intercept the message before sending it to the service.

Request:

Response:

Adding the Encryption files

1.1.1 Setting up the environmentRampart 1.3 binary distribution is added to the [AXIS2_HOME]\repository\modules. Its library files

are added to [AXIS2_HOME]\lib. For encryption, latest Bouncy Castle jar is download and added to[AXIS2_HOME]\lib. Xalan and Jaxen jars are added as well to the library folder. If Java


9/12


Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are not present, downloadit and add local_policy.jar and US_export_policy.jar) to $JAVA_HOME/jre/lib/security. The

java.security file in the %JAVA_HOME%\jre\lib\security should be modified to add the bouncycastle jar in security.provider. N+1 =org.bouncycastle.jce.provider.BouncyCastleProvider format.

1.1.2 Create keystores for the service and clientThe service and the client side needs to have public and private key to decrypt and encrypt themessage. Java has a key and certificate management tool called keytool. The commands used forcreating the keystores for service and client are:

\> keytool -genkey -alias service -keyalg RSA -keysize 1024 -keypass servicekey -keystore service.jks -storepassservicestorekey \> keytool -genkey -alias client -keyalg RSA -keysize 1024 -keypass clientkey -keystore client.jks -storepassclientstorekey

Thus, the password for the service private key is servicekey and the password for the servicekeystore is servicestorekey. The clients private key password is clientkey and password for keystore is clientstorekey. For exporting the public key from service keystore and importing intoclient keystore and vice versa, the command used is:

\> keytool -alias service -export -keystore service.jks -storepass servicestorekey -file servicepublickey.cer \> keytool -import -alias service -file ../service/servicepublickey.cer -keystore client.jks -storepass clientstorekey \> keytool -alias client -export -keystore client.jks -storepass clientstorekey -file clientpublickey.cer \> keytool -import -alias client -file ../client/clientpublickey.cer -keystore service.jks -storepass servicestorekey

1.1.3 Configuring the Client and ServiceNow keys needed for encryption are ready to be used. The information regarding the name of thekeystore and the password for the client and the service are stored in service.properties andclient.properties respectively.

A call back mechanism has to be implemented by the service and the client to retrieve the passwordfor the respective private keys. For simplicity, one class is used to retrieve both the client and theservice password.


10/12


For the client side, to use the encryption, a few lines of code will need to be added to the axis2.xmlfile.

This will enable rampart for encryption and provide the location of the password handler and also thelocation of the properties file. For the service side, it is the same configuration. But this will be addedinto the services.xml file


11/12


Now care is to be taken that the classpath for Java and Axis2 and that all the library files needed forthe project are present in their respective directories.

1.1.4 The TestThe client side is now tested and the message is send encrypted.

Request with Encryption Snippet

9HS6Tf78KX6iqdLL4mv95SY7+XrM2gFCJ6jIHLmQVLeIk+dXFz99LQMuUfK2mzyGN59VQMjRdWTLgWqFZN+Bx+9mD1kP1dOkbzPKWI9ixBVhA0mw7jDBFSoGGdWflo5oqQX7jcC6gSnWpAQBry8

/4DRxBUXeMKEOiM2fg+Hu8/esf5YxbE/GXsGWm4N4QysQJEhJlH3QVMkSx5/gFwKxY41s2xfFqBFr3hfDTugbz1c5IbQ5jzWAQyAnJNvzlZObGIoDJoVwzNN9QMXATGablZvsXYCXvPrYfus667q725a04tQXeiO6dQGzPxhN atR8iN7qCptq+rhrMdwARe7sNacbRRIIhjqdb68RyX+VwzCqsnqRZ3QdFPwdWuCKaGzx

Response with Encryption Snippet

Qsa6W8q+472xikZZC9JwHfTcK44tWNFFwhX1GUi2pXL8BB9gbxj3ARN9arzm3fS/hPmWkjg6KsHsCiK5mrCQPRjh/tFlqAnEHnvsbpez2j7n5gitFzj1DBowJr3uX2FBe7MW84zv07rtcdgHMzu0k3JVu9xV9PNAHzAYCifEzvFm0kkKogHCb8L0zdBCBGw18CzCQL4JCwlgPqZvUXhL0GHAOlHq/SLldlj/p+tys1el/E6f+ode2svPJFU16DYw4KbPqiAJhXUAMdZa9AaZJ27q6UfSyHEagDhmcWXEASglSR29d+vr4385TureCH2wUX/xrR5ohNGJDEw+Vg31JQd/yYHCvSkJz0y4asZuZMUTuF7AnPn4YPEj1hZeVaJy

1.1.5 The Output


12/12


5. ConclusionThe project of creating a secure web service where communications are encrypted has beensuccessfully implemented. Eclipse provided a favourable IDE to create the web service with build-inextensions for Axis2 and Tomcat. Since the project required a standalone web service and norequirement for Spring framework, Axis2 is preferred over CXF. There was no need to add securitypolicies to enable encryption in the web services configuration. For error free running of Axis2 1.3,the required modules, library files are required to be in the respective directories. There were issueswhen Axis2 would come with errors with just NoClassDefFoundError . Later it was realised that therequired files needed were Xalan (XSLT processor) and Jaxen (XPath engine). Thus, by adding somelines of codes for service and client configuration and by providing the required library files, it waseasy to implement a web service where the communications are encrypted.

6. References[1] Doug Davis, Simeon Simeonov, Glen Daniels, Peter Brittenham, Yuichi Nakamura, Paul

Fremantle, Dieter Konig, and Claudia Zenter Steve Graham,., 2004, p. 816.

[2] Prabath Siriwardena. (2009, Nov.) Web Services Security: Encryption with Rampart. [Online].http://blog.facilelogin.com/2008/07/web-services-security-encryption-with.html

[3] (2009, Nov.) Axis2 Homepage. [Online]. http://ws.apache.org/axis2/

[4] Nandana Mihindukulasooriya. (2009, Nov.) Web Services Security with Apache Rampart Part 2(Message-Level Security). [Online]. http://wso2.org/library/3415

[5] (2009, Nov.) Apache Axis2 Wikipedia. [Online]. http://en.wikipedia.org/wiki/Apache_Axis2

[6] (2009, Nov.) Eclipse Wikipedia. [Online]. http://en.wikipedia.org/wiki/Eclipse_(software)

[7] (2009, Nov.) Apache Rampart module Wikipedia. [Online].http://en.wikipedia.org/wiki/Apache_Rampart_module

[8] (2009, Nov.) keytool - Key and Certificate Management Tool. [Online].http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html
http://blog.facilelogin.com/2008/07/web-services-security-encryption-with.htmlhttp://blog.facilelogin.com/2008/07/web-services-security-encryption-with.htmlhttp://ws.apache.org/axis2/http://ws.apache.org/axis2/http://ws.apache.org/axis2/http://wso2.org/library/3415http://wso2.org/library/3415http://wso2.org/library/3415http://en.wikipedia.org/wiki/Apache_Axis2http://en.wikipedia.org/wiki/Apache_Axis2http://en.wikipedia.org/wiki/Apache_Axis2http://en.wikipedia.org/wiki/Eclipse_(software)http://en.wikipedia.org/wiki/Eclipse_(software)http://en.wikipedia.org/wiki/Eclipse_(software)http://en.wikipedia.org/wiki/Apache_Rampart_modulehttp://en.wikipedia.org/wiki/Apache_Rampart_modulehttp://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.htmlhttp://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.htmlhttp://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.htmlhttp://en.wikipedia.org/wiki/Apache_Rampart_modulehttp://en.wikipedia.org/wiki/Eclipse_(software)http://en.wikipedia.org/wiki/Apache_Axis2http://wso2.org/library/3415http://ws.apache.org/axis2/http://blog.facilelogin.com/2008/07/web-services-security-encryption-with.html

advance topics on web services

Documents