August 18, 2009

Securing Java Web Services with WS-Security, SAML, and More

Capstone has updated and expanded Course 562, "Securing Java Web Services," adapting to major new developments in security for web services, SOA, and software enterprises generally. The resulting five-day course develops in-depth understanding of common service-security scenarios: motivations, techniques, and standards-based solutions.

Scenario diagram

Though we use Java to get all the trains running, the great majority of the course material presents the interoperable standards that make message-level security a reality:

Even non-Java or non-developer audiences can get quite a lot out of a delivery that simply de-emphasizes the inner workings of the applications, and focuses on the over-the-wire and policy content. The primary target audience, though, is intermediate-to-advanced Java developers, and we use the following toolkits to implement the key standards:

Like our other security courseware (see Courses 107 and 121), "Securing Java Web Services" pursues technology standards by way of use cases and common hacks. Most chapters begin with one or more use cases to drive study of a particular topic, and most exercises work by demonstrating a possible security failure and then improving the target application by one technique or another.

SAML sender-vouches diagram

The primary case studies for the course, in their final forms, exhibit message-level security based on a shared WS-SecurityPolicy, using Metro/WSIT as the WS-Security engine, and various other practices including:

  • WS-Security username tokens, timestamps, signatures, and encryption
  • Symmetric and asymmetric cryptography according to WS-SecurityPolicy bindings
  • SAML sender-vouches tokens in WS-Security headers
  • Back-channel SAML attribute queries and responses
  • XML signature of body and header content and of individual SAML assertions, both by configuration of XWSS and/or WSIT and by hand using the XML Digital Signature API
  • WS-SecureConversation
  • Single sign-on in a SAML-2.0 federation, using OpenSSO and the Fedlets API