Original address: http://www.intel.com/cd/ids/developer/apac/zho/322087.htm? Page = 1 we encounter many problems in ensuring the security of web services and the technology available to implement this feature. These problems constitute the topic of this article. Security issues related to interoperability are another topic of ours. In addition, we will briefly describe the new standards developed to ensure the security of web services, which will provide standardized security services in the future. Some commercial products provided for Web Service Security will also be discussed quickly. We will also discuss how Intel contributes to the Web service security domain through various plans.
This article requires you to have a certain understanding of the web service architecture, IIS and. Net Security.
Security Basics
Application Security Solutions need to address various security issues related to information security. In a distributed client server environment such as Web service, when information is transmitted in various open network infrastructures, more and more security problems are related to information security. Such problems are described as follows:
- Confidentiality: ensure that no third party can read or interpret the data.
- Integrity: provides the receiver with the ability to detect changes to original messages or data to prevent intentional or unintentional changes to data during transmission.
- Identity Verification: ensure that the customer or user accessing the information is the user himself.
- Authorization: ensure that the customer or user has the permission to access information.
- Prevention of denial: ensure that the customer or user cannot deny the use of information in the future.
Web service architecture the Web service architecture uses XML/soap on the most commonly used transport protocol HTTP. Therefore, it allows information exchange in plain text. However, third parties can easily intercept and explain the information. Therefore, security is increasingly important.
The preceding security service can be provided at the transport layer or application layer by using soap security. This will lead to some differences in different security mechanisms. The reason for the above situation is that security problems suddenly begin to be associated with the platform performance of web service providers, at the same time, this will also affect interoperability, as described below.
Security in. Net Environment
The Web Service in the. NET environment is provided by IIS. In this environment, you can use the built-in security features of IIS.
- SSL supports HTTP to provide confidentiality and integrity for data transmitted in HTTP. You can enable the Client X.509 Certificate (whether to use the client certificate in the SSL protocol is optional) to provide the anti-denial service. Once SSL is enabled, all data sent through these connections is encrypted and signed.
- IIS provides multiple authentication mechanisms: Basic Authentication, digest authentication, integrated Windows authentication (NTLM/Kerberos), or X.509 Certificate. You can enable any authentication mechanism for a specific directory that provides Web Services. You can also submit the certificate and verify the certificate through IIS. In addition, you need to modify the Web. config file in Web service to specify that "Windows" authentication is required. In addition, you must disable anonymous access in IIS.
- You can use the"CodeThe Access Security Mechanism provides authentication. In essence, when the web service method is adopted, this mechanism can provide the identity of the user who calls the web service. After a user identity (provided by the customer based on the IIS configuration validation mechanism) is retrieved, You can explicitly check whether the user has been authorized to access the web method.
Java environment security
- For Web services provided in the Java environment, you can also enable HTTP-oriented SSL. This will also provide confidentiality and integrity for data transmitted over HTTP.
- However, this environment only supports basic authentication. This requires that you add the user name and password to the corresponding web service.
Web service-related security standards
Another way to ensure the security of web services is to ensure the security of data transmitted through an insecure underlying transmission protocol (such as HTTP. We can achieve this through the technologies discussed below.
Soap is a simple text message format based on XML, used to generate Web Service requests and responses. A soap message consists of a SOAP message header and a SOAP message body. The message header is used to save any potential metadata related to the request, and the message body is used to save the basic data content contained in the message.
To provide message confidentiality, the SOAP message body can contain encrypted message data, and the message header can contain a session key encrypted by the private key of the message sender. At the receiving end, you can use the sender's public key to extract the session key, decrypt it, and extract the data contained in the SOAP message body. This process also ensures that the message comes from a specific user, because only the user can access the private key encrypted on the session key.
For more information about XML encryption, see XML encryption syntax and processing. For more information about XML Signature, see XML Signature syntax and processing.
Similarly, to provide message integrity, a message digest of the SOAP message body can be generated and sent through the SOAP message header. At the receiving end, the receiver can regenerate these messy messages as SOAP message bodies and compare them with digest messages received through the message header. If these two values match each other, you can determine that the message is not changed during transmission.
With the support provided by the Web Service Stack on the server and client, you can complete this XML-based encryption, signature, and integrity check function. As standards become increasingly mature and widely accepted, more and more toolkits will support them.
Another standard to be released is SAML, which plays an important role in Secure Web Service interoperability. SAML is a security declaration markup language. It is an XML-based framework that can be used to exchange authentication and authorization information between different Web Access Management and Security Products. By using SAML, you can use XML documents to display Security Information and securely transfer security information from one application to another. This standard has been standardized by the organization for the promotion of structural information standardization (OASIS. SAML allows applications to communicate with various security systems provided by different vendors. SAML defines the XML data format that does not depend on the vendor and is used to represent security information. Therefore, software provided by Vendor A can use SAML to generate user information or access control decisions. software provided by Vendor B can use this information without disclosing the proprietary information of Vendor.AlgorithmOr data format. For more information, visit
Http://www.oasis-open.org/committees/security /. Commercial Products Used for Web Service Security some independent vendors have developed products designed to provide web service with authentication and authorization services. In this way, developers no longer need to embed authentication and authorization code in each different web service. Netegrity transactionminder products such as negerity (http://www.netegrity.com) provide policy-based authentication, authorization, and audit services based on industry standards (such as the XML Signature and SAML we discussed earlier. These products allow the use of existing user directories and simple user and policy management. Please note that data encryption during transmission of these products still depends on the Transport Layer Security. Intel and Web Service Security intel has been actively promoting R & D of infrastructure and further promoting web service applications. As Web Service Security is one of the most important building modules, enterprises can use web services only after it is determined. Therefore, Intel has been committed to the following issues for a long time:
- Pushing standards: Intel is a member of the oasis WS-Security Technical Committee. Oasis is a non-profit Global alliance that has been promoting the development, integration and adoption of e-commerce standards. WS-Security defines a set of soap extensions that can implement integrity and confidentiality in Web service applications, thus laying a solid foundation for advanced objectives such as consortium, policy, and trust.
-
- New-generation processors: some new technologies (such as XML signatures) used to enable Web Service Security consume more resources than some traditional technologies. The increasing demand for resources will inevitably become a stumbling block to the adoption of Web Services in the enterprise environment. However, the new generation of IA64 processors provide better performance for such technologies. At the same time, the Intel Pentium 4 processor using advanced 800 MHz system bus and hyper-thread (HT) technology provides performance that can better meet the ever-increasing demand for Web Service Security Solutions.
-
- Web Service optimization tools: As the various web service security technologies mentioned above occupy a large amount of processor resources, Web Service optimization becomes more important. Intel has developed various tools to support Web Service optimization. The vtune enterprise analyzer can measure and improve the deep-level code-level performance of the N-layer Microsoft * DNA * And. Net * applications. In addition, the vtune enterprise analyzer can provide support for traditional applications through web services, so that developers can use only one tool to analyze hybrid applications. With this tool, you can also view HTTP, DCOM, Microsoft * SQL, and soap response time statistics, and use this information to optimize web service applications.
For more information about intel vtune visual Performance Analyzer for. NET web applications, visit the http://www3.intel.com/cd/software/products/apac/zho/vtune/index.htm
- Intel's Web Service: Adding web services to EAI/b2bi policies
Intel Information Technology (IT) Division recognizes that Web Service is a promising new technology that will increase the value of intel. Intel plans to integrate Web services into its Enterprise Application Integration (EAI) and its supply chain, collectively referred to as enterprise-to-enterprise integration (b2bi ). Intel also invested in other technologies for EAI and b2bi.
-
- Support for third-party products: Intel has invested in multiple independent companies to support web service security solutions. For example, Dublin-based independent software vendor vordel has developed an open standard product that provides the most basic security and account management functions for Web Services. By providing security and authentication, vordel enables companies to use web services securely and stably. As an Intel strategic portfolio company, vordel has optimized its solutions to take full advantage of Intel's most advanced enterprise-level processor product, Intel Xeon processor and Intel anteng processor.
Vordelsecure 2.0 provides enterprises with high-performance and scalable enterprise security management solutions to ensure the security of their XML communication. XML security standards such as WS-Security and SAML can be deployed by using a proxy-based scalable distributed architecture.
-
- Consultation: Intel Solutions Service (ISS) is a global consulting and service R & D organization that specializes in providing distributed solutions and data center infrastructure services. Web service practice is an integral part of ISS. It provides design and deployment support for Web Service Security. Welcome to Intel solutions for more information.
Conclusion many technologies are currently used for Web Service Security, and many of them depend on the platform to a certain extent. New standards under development allow more interoperability between different platforms and development tool kits. Despite the above problems, we can still ensure the security of web services in a reliable way, so that they can provide traditional functions to the outside, so as to improve work efficiency and achieve more functions.
Future Prospects
Next in this seriesArticleWe will discuss other topics about web services, such as deployment and performance management.