August 18, 2009Securing Java Web Services with WS-Security, SAML, and MoreCapstone has updated and expanded Course 562, "Securing Java Web Services," adapting to major new developments in security for web services, SOA, and software enterprises generally. The resulting five-day course develops in-depth understanding of common service-security scenarios: motivations, techniques, and standards-based solutions. 
Though we use Java to get all the trains running, the great majority of the course material presents the interoperable standards that make message-level security a reality:
Even non-Java or non-developer audiences can get quite a lot out of a delivery that simply de-emphasizes the inner workings of the applications, and focuses on the over-the-wire and policy content. The primary target audience, though, is intermediate-to-advanced Java developers, and we use the following toolkits to implement the key standards:
Like our other security courseware (see Courses 107 and 121), "Securing Java Web Services" pursues technology standards by way of use cases and common hacks. Most chapters begin with one or more use cases to drive study of a particular topic, and most exercises work by demonstrating a possible security failure and then improving the target application by one technique or another. 
The primary case studies for the course, in their final forms, exhibit message-level security based on a shared WS-SecurityPolicy, using Metro/WSIT as the WS-Security engine, and various other practices including:
|
|
