Alignment with emerging Web Service Standards
Web Service Standards Stack
Network (TCP/IP)
Transport (HTTP, HTTPR, SMTP)
Messaging (SOAP, XMLP)
Description (WSDL)
Various specs
Presentation (WSRP)
…
Discovery (UDDI, ebXML)
Security (WS-Security, SSL, SAML, …)QoS (WS-Policy, …)
Transactions (WS-Transaction)
Process Flow (BPEL, WS-Coordination)
Grid (OGSI)Industry-specific
Network (TCP/IP)
Transport (HTTP, HTTPR, SMTP)
Messaging (SOAP, XMLP)
Description (WSDL)
Various specs
Presentation (WSRP)
…
Discovery (UDDI, ebXML)
Security (WS-Security, SSL, SAML, …)QoS (WS-Policy, …)
Transactions (WS-Transaction)
Process Flow (BPEL, WS-Coordination)
Grid (OGSI)Industry-specific
Network (TCP/IP)
Transport (HTTP, HTTPR, SMTP)
Messaging (SOAP, XMLP)
Description (WSDL)
Various specs
Presentation (WSRP)
…
Discovery (UDDI, ebXML)
Security (WS-Security, SSL, SAML, …) QoS (WS-Policy, …)
Transactions (WS-Transaction)
Process Flow (BPEL, WS-Coordination)
Grid (OGSI) Industry-specific
Web Service Standards Stack
Stateful Web Services• Port References (comments in WS-Coordination) –
Ability to dynamically refer to ports for targeted invocations
• Context (comments in WS-Coordination) – ability to supply stateful information for return with later invocations.
• Service Instances (examples include Borland at http://www.systinet.com/doc/wasp_developer_jb/advanced/statefulWebServices.html#advancedTopics.statefulWebServices.mechanism, BPEL and OGSI efforts) – ability to return a reference to a new instance which can be resupplied on later invocations
=> Mechanisms for Producers exposing portlet instances at runtime should align with these.
Network (TCP/IP)
Transport (HTTP, HTTPR, SMTP)
Messaging (SOAP, XMLP)
Description (WSDL)
Various specs
Presentation (WSRP)
…
Discovery (UDDI, ebXML)
Security (WS-Security, SSL, SAML, …)QoS (WS-Policy, …)
Transactions (WS-Transaction)
Process Flow (BPEL, WS-Coordination)
Grid (OGSI)Industry-specific
Network (TCP/IP)
Transport (HTTP, HTTPR, SMTP)
Messaging (SOAP, XMLP)
Description (WSDL)
Various specs
Presentation (WSRP)
…
Discovery (UDDI, ebXML)
Security (WS-Security, SSL, SAML, …) QoS (WS-Policy, …)
Transactions (WS-Transaction)
Process Flow (BPEL, WS-Coordination)
Grid (OGSI) Industry-specific
Web Service Standards Stack
Web Service Security• Broad set of specifications that cover
– Authentication– Authorization– Privacy– Trust– Integrity– Confidentiality– Secure communication channels– Federation– Delegation– Auditing
• Framework builds upon– Soap– WSDL– XML Digital Signatures– XML Encryption– SSL/TLS– …
Web Service Security Layers
SOAP/XML Foundation (SSL, Digital signatures, encryption, …)
WS-Policy
WS-Trust
WS-Privacy
WS-SecureConversation
WS-Federation
WS-Authorization
WS-Security Profile for XML-based Tokens
WS-Security (Framework)
WS-SecurityPolicyWS-PolicyAssertions
WS-PolicyAttachments
SOAP/XML Foundations• SSL/TLS – Current means to exchange
messages at various levels of security
• XML Digital Signatures – Sign portions of an document … relative to authentication and non-repudiation
• XML Encryption – Using ciphers to make portions of a document unavailable to 3rd parties
SOAP/XML Foundations• SAML – Markup language for exchanging
security related assertions about a document, its source and recipients.
• XACML – Exchanging access control information using SAML.
• XCBF - Defining secure XML encodings for the Common Biometric Exchange File Formats (NISTIR 6529).
• XrML – Rights markup language• …(see http://www.oasis-open.org/committees/security-jc/)
WS Security Model Terminology• Web Service - Application components whose
functionality and interfaces are exposed through XML, SOAP and WSDL
• (Signed) Security Token - A security token that is asserted (and cryptographically endorsed) by a specific authority
• Claim - A statement a client makes (e.g. name, identity, key, group, privilege, capability, etc).
• Claim Requirements - Requirements for the claims a client makes with an invocation to the Web Service.
• Subject - A principal (e.g. a person) about which the claims expressed in the security token apply
WS Security Model Terminology• Subject - A principal (e.g. a person) about which the
claims expressed in the security token apply • Proof-of-Possession - Used to demonstrate the
sender's knowledge of information that SHOULD only be known to the sender of a security token.
• Intermediaries - Parties that perform actions such as routing a SOAP message or even modifying the message. For example, an intermediary may add headers, encrypt or decrypt pieces of the message, or add additional security tokens.
• Actor - An intermediary or SOAP endpoint which is identified by a URI and which processes a SOAP message.
WS Security Model• Todays technologies offer network and transport layer security
– IPsec, SSL, TLS
• SOAP message model operates on logical endpoints, often via multi-hop with intermediaries
• Need for SOAP message-level end-to-end security
Requestor Intermediary Web Service
Security Context
WS Security Token Service Model• Web Service requires a set of claims
– If message arrives without needed claims -> reject or ignore message
• Requestor send proof of claims by associating security tokens with message
• Security tokens may be obtained from security token services (Web Services)
Requestor
Security Token Service
Web Service
Policy
Security Token
Policy
Security Token
Security Token
Policy
ClaimsClaims ClaimsClaims
ClaimsClaims
WS-Security• Describes SOAP header enhancements to provide
message integrity and confidentiality– By leveraging XML Signature and XML Encryption
• Provides general purpose mechanism to attach security tokens to messages– No specific type of security token mandated– Support for multiple security token formats– Support for specifying binary security tokens like X.509
certificates or kerberos tickets– Specifies encoding for binary security tokens, especially
X.509 certificates and Kerberos tickets
• Working Draft 8 - 12/12/2002• See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp
WS-Policy• Framework for web services to specify their
requirements and capabilities
• Defines:– Header element for carrying domain-specific policy
declarations– Operators for combining policies– Connecting policies to their targets
• See ftp://www6.software.ibm.com/software/developer/library/ws-policy.pdf
• Public draft – 12/18/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-PolicyAssertions• Defines basic assertions needed to enable Web
services applications– TextEncoding – what character sets are supported– Language – what locales are supported (xml:lang)– SpecVersion– MessagePredicate – preconditions for an invocation– …
• See http://www.verisign.com/wss/WS-PolicyAssertions.pdf
• Public draft - 12/18/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-SecurityPolicy• Defines extensions to WS-Policy for describing
the security properties of a Web Service
• Policy Assertions– Security Token requirements– Encoding formats– Supported algorithms
• See http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-securitypolicy.asp
• Public draft - 12/18/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-PolicyAttachments• Defines how policies are attached to existing
XML Web service technologies. – To specific documents – elements may use an
attribute to point at policy statements– To WSDL definitions – defines how these policy
attributes are interpreted for WSDL definitions– To UDDI entities – tModel defined for declaring
service uses policy declarations• See ftp://www6.software.ibm.com/software/developer/library/ws-policyattachment.pdf
• Public draft - 12/18/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-Trust• Describes model on how to establish trust
relationships– Direct– Brokered– Via third parties and intermediaries
• Defines Security Token Service (Web Service)– Request/obtain security tokens– Validate security tokens
• Trust Management (non-normative)– Fixed trust roots– Trust hierarchies– Authentication service
• See http://www.verisign.com/wss/WS-Trust.pdf
• Public draft - 12/18/02SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-SecureConversation• Describes how to
– Authenticate requestor – Authenticate services– Establish mutually authenticated security context– Establish session keys– Derived keys– Per-message keys
• See http://www.rsasecurity.com/solutions/web-services/specifications/WS-SecureConversation.pdf
• Public draft - 12/18/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-Security Profile for XML-based Tokens
• Defines a framework for using XML-based security tokens with WS-Security – SAML binding– XrML binding
• See http://www-106.ibm.com/developerworks/library/ws-sectoken.html
• Public draft - 8/28/02
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-Privacy• Defines how a Web Service implements privacy
• Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap)
• Privacy demo in IBM’s Web Services Toolkit supports P3P rules in a WS-Policy type format.
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-Federation• Defines how to manage and broker trust
relationships in a heterogeneous federated environment including support for federated identities.
• Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap)
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
WS-Authorization• Describes how the Web Service manages
authorization data and policies
• Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap)
SOAP/XML Foundation
Policy
Trust
Privacy
SecureConversation
Federation
Authorization
XML Token Profile
WS-Security
SecurityPolicyPolicyAssertions
PolicyAttachments
Web Service Security Layers
SOAP/XML Foundation (SSL, Digital signatures, encryption, …)
WS-Policy
WS-Trust
WS-Privacy
WS-SecureConversation
WS-Federation
WS-Authorization
WS-Security Profile for XML-based Tokens
WS-Security (Framework)
WS-SecurityPolicyWS-PolicyAssertions
WS-PolicyAttachments
Standard Draft Standard Proposal Expected