Web Services Security / Edition 1

Web Services Security / Edition 1

by Mark O'Neill, Paul A. Watters, Ed Simon, Mike Shema, Sean Mac Cann

View All Available Formats & Editions

ISBN-10: 0072224711

ISBN-13: 9780072224719

Pub. Date: 01/31/2003

Publisher: McGraw-Hill Professional Publishing

Explains how to implement secure Web services and includes coverage of trust, confidentiality, cryptography, authentication, authorization, and Kerberos. You’ll also find details on Security Assertion Markup Language (SAML), XML Key Management Specification (XKMS), XML Encryption, Hypertext Transfer Protocol-Reliability (HTTP-R) and more.


Explains how to implement secure Web services and includes coverage of trust, confidentiality, cryptography, authentication, authorization, and Kerberos. You’ll also find details on Security Assertion Markup Language (SAML), XML Key Management Specification (XKMS), XML Encryption, Hypertext Transfer Protocol-Reliability (HTTP-R) and more.

Product Details

McGraw-Hill Professional Publishing
Publication date:
Application Development Series
Product dimensions:
7.20(w) x 9.00(h) x 0.80(d)

Table of Contents

Part IIntroduction
1Presenting Web Services3
Defining Web Services4
Introducing the XML Family6
XML for Communication11
An Example Web Services Scenario12
Practical Tools19
2Presenting Security21
The Building Blocks of Security22
Peeling Back the Layers of Security37
Network Layer37
Session and Transport Layers38
Application Layer: S/MIME39
3New Challenges and New Threats41
Web Services Security Challenges43
The Challenge of Security Based on the End User of a Web Service43
End-User Access to a Web Service: A Practical Example44
The Challenge of Maintaining Security While Routing Between Multiple Web Services48
The Challenge of Abstracting Security from the Underlying Network50
Meeting the Challenges: New Technologies for Web Services Security51
Persistent Security51
Web Services Security Threats55
Web Application Security55
The Role of Firewalls for Web Services57
Part IIXML Security
4XML Signature63
Making Sense of XML Signature65
An XML Signature Is a Digital Signature Expressed in XML65
An XML Signature May Be Placed Inside an XML Document71
XML Signature Allows Multiple Documents to Be Signed74
XML Signature Is "XML-Aware Signature"75
Uses of XML Signature for Web Services Security75
Persistent Integrity75
Nonrepudiation: How Useful Is the KeyInfo Element?76
Creating and Validating an XML Signature77
Creating an XML Signature77
Validating an XML Signature79
5XML Encryption83
Introduction to XML Encryption84
Persistent Encryption for Web Services Transactions84
XML-Aware Encryption85
Encryption Scenarios87
Encrypting an XML Element and Its Contents87
Encrypting the Content of an XML Element88
Encrypting Arbitrary Data (Including XML)88
CipherValue and CipherReference89
Encryption Steps90
Step 1Choose an Encryption Algorithm90
Step 2Obtain and (Optionally) Represent the Encryption Key92
Step 3Serialize the Data into UTF-8 Encoding94
Step 4Perform the Encryption94
Step 5Specify the Data Type94
Process the EncryptedData Structure95
Decryption Steps95
Step 1Determine the Algorithm, Parameters, and ds: KeyInfot95
Step 2Locate the Key95
Step 3Decrypt the Data95
Step 4Process XML Elements or XML Element Content96
Step 5Process Data that Is Not an XML Element or XML Element Content96
Code Examples96
Encrypting an XML Element Using Triple-DES96
Decrypting Using the IBM XML Security Suite DecryptionContext98
The Overlap with XML Signature98
Using XML Encryption on a Signed Document98
Using XML Signature on an Encrypted Document99
How SAML Enables "Portable Trust"102
Introducing the Three Types of Assertions106
SAML Architecture109
Deploying SAML113
VeriSign's Trust Services Integration Kit114
Introduction to XACML120
Basic Concepts of Access Control121
Rules in XACML121
Definition of a Rule in XACML: Target, Effect, and Conditions122
A "Policy" in XACML125
Digital Rights Management134
Security Considerations When Using XACML134
8XML Key Management Specification (XKMS)137
Public Key Infrastructure138
PKI in Five Easy Points139
XKMS and PKI140
The XKMS Protocol143
XML Key Information Service Specification147
XML Key Registration Service Specification153
Advanced Protocol Features of XKMS 2.0160
Compound Requests160
Asynchronous Processing160
Part IIISecurity in SOAP: Presenting WS-Security
Introduction to WS-Security166
WS-Security Abstractions166
IBM/Microsoft Web Services Security Road Map167
WS-Security Elements and Attributes170
Error Handling in WS-Security177
SAML and WS-Security178
Code Example: Using the Microsoft WSE179
Part IVSecurity in Web Services Frameworks
10.NET and Passport185
Ticket, Please: A Kerberos Overview186
Prelude to the Login Process188
The Login Process189
Attacks Against Passport191
Malicious Partner Applications193
Web Services and .NET194
Threats Against .NET Services196
Threats Against .NET Servers199
Protecting Your Servers200
11The Liberty Alliance Project203
What Does the Liberty Alliance Project Have To Do with Web Services?204
Terms to Remember205
Creating Circles of Trust Among Identity Providers and Service Providers206
Single Sign-On209
Identity Federation210
Name Registration217
Liberty Leading Web Services221
Defederating a Local Identity223
Single Logout224
Security in Liberty225
Liberty Today, Liberty Tomorrow225
Give Me Liberty or Give Me Passport226
12UDDI and Security227
UDDI Overview228
Securing Transactions with the UDDI Services232
Explaining the UDDI Roles233
Authenticating and Authorizing Publishers235
Authenticating and Authorizing Subscribers242
Part VConclusion
Business Processes250
Collaboration Protocol Profile and Agreement250
Message Services251
Registry Information and Services251
ebXML Security Overview251
ebXML Registry Security252
Standards Requirements252
Registry Security Conclusions253
ebXML Message Security254
Standards Overview254
Authorization and Authentication254
Data Integrity and/or Confidentiality Attacks254
Denial of Service and/or Spoofing254
ebXML Standards Overview255
Message Security Conclusions257
14Legal Considerations259
The Role of Contract Law and Evidence in Online Security260
If Security Is the Answer, Then Exactly What Is the Question?261
Legal Components: A Primer261
Digital Signing262
Dispelling the Myths264
Mapping Legal Components to Technical Security Components266
Applying the Law to Particular Technologies270
Web Services: An Overview of Legally Relevant Technical Trends270
SAML: The Legality of "Distributed Trust"274
SSL: Legally, How Secure Is It?278
Biometrics: Is Seeing Believing?278
Legal Security Is Holistic280
Effective Security Depends on Shared Cultural Assumptions280
The Best Security Is Designed to Fail Successfully281
ACase Studies285
Local Government Service Portal286
Project Overview286
Security Factors Identified287
Security Measures Deployed287
Foreign Exchange Transactions287
Project Overview288
Security Factors Identified288
Security Measures Deployed289
XML Gateway Rollout290
Project Overview290
Security Factors Identified290
Security Measures Deployed291

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >