As Web services evolve from technology concepts to practical applications, there are indications that Web services will be an extremely important model for future application architectures. When Web services are used for pilot projects and mass production, the benefits of having a loosely coupled, language-and platform-independent approach to linking applications across the enterprise and across the Internet are becoming increasingly apparent. Our customers, industry analysts, and the press have identified key issues to address when Web services are increasingly mainstream: security. This article discusses how to select and implement a standards-based security architecture to meet the security needs of the real enterprise Web services.
The key to a Web services architecture is the ability to deliver integrated, interoperable solutions. By applying this security model, ensuring the integrity, confidentiality, and security of Web services is critical to both software vendors and their customers. The basic security specifications for Web services that will be introduced include:
Web Service Description Language for consolidation, Security Declaration markup Language for authentication and authorization, secure slot layer (SSL) for channel secrecy, XML encryption standards for highly confidential, and XML digital signatures for advanced authorization. In addition, several other specifications will be introduced, including:
Web Services security Specifications (including xml-encryption and xml-digital signatures), XML Key management specifications, and extensible access Control Markup language specifications for authorization, and so on.
Models that provide security features and components for Web services need to integrate existing processes and technologies with the security requirements of future applications. The unified security technology must abstract the application's security requirements from specific mechanisms. The goal is to make it easy for developers to use heterogeneous systems to establish interoperable security solutions. Successful Web service security methods require a set of flexible, interoperable elements that, through policies and configurations, can make a variety of security solutions viable. A viable Web services security mechanism needs to meet and include requirements for the following components:
Network security
Supports secure transport mechanisms that provide confidentiality and integrity, such as SSL.
XML Message Security
1 XML digital signature so that the receiver can prove the identity of the sender of the message.
2 XML encryption, which provides the confidentiality of data elements to enable verification of the exchange. The consortium publishes a memo from the XML Key Management Service (Xmlkeymanagementservices, abbreviated xkms) to help distribute and manage the keys required for secure communication between endpoints.
Endpoint validation and authorization
1 support the contract for exchanging information between enterprises to define which employees can use which services. The intermediary is responsible for audit and service of the original certificate.
2 supports trusted Third-party authentication services within the network, such as Kerberos.
Security Service Description
1 describes whether to support digital signatures, encryption, authentication and authorization, and how to support them. Web Service requesters Use the security elements of a service description to find service endpoints that meet policy requirements and their security methods.
2 Oasis set up a technical committee to define authorization and authentication assertions (authorizationandauthenticationassertions, called SAML) to help endpoints accept and decide access control.
3. Oasis also set up another technical committee to standardize the expression of access control (Extensibleaccesscontrolmarkuplanguage, abbreviated XACML), which helps endpoints resolve SAML assertions in a consistent manner.
XML-related standardization Group "organizationfortheadvancementofstructuredinformationstandards (OASIS)" To join the enterprise set up the development of Web services Security standards " Webservicessecurity (ws-security) "Technical Committee" Webservicessecuritytechnicalcommittee (WS-SECURITYTC) ". This is an oasis announced July 23, 2002 local time in the United States.
The purpose of the ws-security standard is to ensure that Web service applications process the integrity and confidentiality of data, and specify the extension of the Web Service protocol soap and the Header (MessageHeader) of the message. This is a joint study by IBM, Microsoft and VeriSign. Ws-security integrates a variety of security patterns, structures, and technologies, and is one of the standard specifications for Web services. Various systems can ensure compatibility through platform and language-independent methods.
Ws-security describes the enhancement of SOAP messaging through the provision of protection quality through message integrity, message confidentiality, and individual message authentication. These mechanisms can be used to provide a variety of security models and encryption techniques. Ws-security also provides a common mechanism for associating security tokens and messages. Ws-security does not require a specific type of security token. It is designed to be extensible (for example, to support multiple security token formats). For example, a client may provide proof of identity and a certificate that they have specific business certifications.
In addition, ws-security describes how to encode a binary security token. This specification specifically describes how to encode X.509 certificates and Kerberos ticket and how to add cryptographic keys that are difficult to understand. It also includes extensibility mechanisms that can be used to further describe the credential features contained in the message.
Ws-security is flexible and is designed to build the foundations of multiple security models, including PKI, Kerberos, and SSL. Ws-security provides support for multiple security tokens, multiple trust domains, multiple signature formats, and multiple encryption technologies. The specification provides three main mechanisms: security token propagation, message integrity, and message confidentiality. These mechanisms do not themselves provide a complete security solution. Instead, Ws-security is a widget that can be used in conjunction with other Web service extensions and more advanced application-specific protocols to accommodate a variety of security models and encryption techniques. These mechanisms can be used independently, such as routing security tokens, or in a tightly integrated manner (for example, signing and encrypting messages and providing a security token hierarchy related to the keys used for signing and encrypting).