Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.

Published byMyrtle Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved."— Presentation transcript:

1 Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved

2 2  Introduction to WS-I  Value proposition, goals and deliverables  What is a profile? Philosophy of a profile  WS-I profiles and technical highlights  Building Secure Applications Agenda

3 3  An open industry effort  Chartered to advance Web services interoperability across platforms, applications and programming languages  Broad participation  Users, software vendors, consultants, industry organizations, etc.  Establish best practices for achieving interoperability  Based on existing and broadly supported standards  Cooperate with standards development organizations  Consume standards, address industry organization requirements WS-I

4 4 Achieve Web services interoperability  Provide a visible representation of conformance for a selected set of composable standards Accelerate Web services deployment  Offer implementation guidance and Best Practices  Deliver tools and sample applications  Provide an implementer’s forum where developers can collaborate Encourage Web services adoption  Provide a forum for end users to communicate requirements  Raise awareness of customer business requirements WS-I: Goals

5 5  Profiles  Defined set of specifications or standards at specific version levels  Guidelines and conventions for using these specifications together in ways that ensure interoperability  Sample applications  Use cases and usage scenarios based on customer requirements  Sample code and applications built in multiple environments  Demonstrate profile-based interoperability  Test tools and supporting materials  Tools that test profile implementations for conformance with the profiles  Supporting documentation and white papers WS-I: Deliverables

6 6  Final Material  Basic Profile 1.0 and 1.1, Basic Security Profile 1.0, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0  Sample Application Implementations 1.0  Testing Tools 1.0  Security Challenges, Threats and Countermeasures  Draft Material  Basic Security Profile 1.1  REL and SAML Token Profiles 1.0  Testing Tools for the Basic Security Profile and Attachments Profile WS-I: Delivered to Date

7 7 What is a Profile?  Named set of Web services  Base specifications are normative  Profiles add constraints and guidance as to their interoperable usage, based upon implementation experience  Organized around base specification

8 8 Philosophy of a Profile  No guarantee of interoperability  Does not address application semantics  Focus on testable requirements  Makes strong requirements  MUST vs. SHOULD  Never relaxes requirements Chooses among multiple mechanisms Focus on interoperability Conformance on measurable targets  MESSAGE, DESCRIPTION, etc. Addresses issues at application layer

9 9 Basic Profile 1.0 & 1.1  More than 200 interoperability issues resolved  Reference specifications and standards include:  SOAP 1.1  WSDL 1.1  UDDI 2.0  XML Schema  XML 1.0 (Second Edition)  HTTP 1.1  SSL 3.0  Other supporting referenced specifications and standards

10 10 Next Steps WS-I has received ISO PAS Submitter status PAS == Publicly Available Specification Basic Profile 1.1, Simple Soap Binding 1.0 and Attachments 1.0 have been submitted to ISO (Aug 2006)

11 11 Basic Security Profile 1.x Security Challenges, Threats and Countermeasures (SCTC) –Identify security challenges Peer identification and authentication Data origin identification and authentication Data integrity and confidentiality Non-repudiation –Identify threats –Identify countermeasures SSL/TLS, HTTP Basic, Digest and X509 cert auth SOAP Message Security (WS-Security) Usage scenarios defined BSP 1.1 underway Implementations widely available today

12 12 Developing Web Services Using WS-I Profiles & Materials These next charts provide information you can use to develop/deploy Web services using the WS-I materials

13 13  Do not use SOAP encoding  Use only rpc- and document-literal styles  Use the SOAP/HTTP binding  Other bindings out of scope, but may be used  However, interoperability issues may be encountered Be sure that your tools use the WS-I WSDL schemas Do not use wsdl:import to import XSD files URI MUST point to a WSDL file (e.g. foo.wsdl) Do not use xs:import to import a schema from a WSDL file URI MUST point to a schema document (e.g. foo.xsd) Developing Web Services Using WS-I Profiles & Materials

14 14 Adopt WS-I Conformance as an architectural policy for deployed Web services, especially those exposed to the extranet Use your IDE to validate WS-I Profile conformance If it doesn’t provide this, use the WS-I tools Set your IDE’s WS-I conformance preferences If there is no preference option for this, ask why not! Use WS-I Usage Scenarios to design your interactions Use the WS-I Sample Applications as templates for your services Developing Web Services Using WS-I Profiles & Materials

15 15  Web service instance and artifacts only  Not conformance of runtimes or development tools  Conformance is based on profile specification  Must be capable of passing WS-I Testing Tools  Best indicator of conformance with profile(s)  Tools do not cover all requirements  Self-certification process  Claimant tests instance and artifacts  Others can run test tools to verify claim  Resolve conformance bugs through usual update process Conformance

16 16  One-way messaging  Fire and forget  No SOAP response  Synchronous message exchange  Blocking Web services invocation  SOAP request/response  Basic callback  Asynchronous call  Pair of SOAP requests/responses  Application-level message correlation Leverage WS-I Usage Scenarios

17 Business Processes Quality of Service Description Messaging Business Process Execution Language For Web Services (BPEL4WS) SecurityReliabilityManagementTransactions Web Services Description Language (WSDL) Simple Object Access Protocol (SOAP) Extensible Markup Language (XML) Other Protocols Other Services Web Services – a Simple View 17

18 18 Description and Discovery WS-Policy WS-Reliable Messaging UDDI Messaging and Encoding Transport Business Processes Other protocols Other services Business Process Execution Language WSDL SOAP, SOAP Attachments XML, XML Infoset Transports WS-Coordination WS-Transactions WS-Security Quality of Service WS-Security Policy WS-Secure Conversation X.509 profile Kerberos profile REL profile Username profile Mobile profile SAML profile OASIS 1.0 WS-Security (framework) WS-Trust Web Services and SOA Security OASIS Secure eXchange TC SAML Liberty

19 19 BSP Working Group Chartered in March, 2003 Three initial deliverables –Basic Security Profile 1.0, Final Material March 30, 2007 –Basic Security Profile 1.1, Working Group Approval Draft February 2007 –Security Scenarios Based on Basic Profile 1.0 and the following technologies: –HTTP over TLS –SOAP with Attachments –WS Security and x.509, Username and Kerberos tokens

Download ppt "Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved."

Similar presentations

BPEL4WS Business Process Execution Language for Web Services Jim Clark eBusiness Strategist jimclark@microsoft.com.

BPEL4WS Business Process Execution Language for Web Services Jim Clark eBusiness Strategist
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Enabling Interoperable Secure Web Services Bret Hartman, DataPower Technology July, 2004.

Enabling Interoperable Secure Web Services Bret Hartman, DataPower Technology July, 2004.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Www.gridminer.org… Intelligent Grid Solutions 1 / 18 Convergence of Grid and Web technologies Alexander Wöhrer und Peter Brezany Institute for Software.

Intelligent Grid Solutions 1 / 18 Convergence of Grid and Web technologies Alexander Wöhrer und Peter Brezany Institute for Software.
J2ME Web Services Specification.  With the promise to ease interoperability and allow for large scale software collaboration over the Internet by offering.

J2ME Web Services Specification.  With the promise to ease interoperability and allow for large scale software collaboration over the Internet by offering.
CSC-8530: Distributed Systems Christopher Salembier 28-Oct-2009.

CSC-8530: Distributed Systems Christopher Salembier 28-Oct-2009.
CSE 636 Data Integration Web Services.

CSE 636 Data Integration Web Services.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.

Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.
SOA Reference Model Generic Presentation DRAFT: Not approved by the OASIS SOA RM TC.

SOA Reference Model Generic Presentation DRAFT: Not approved by the OASIS SOA RM TC.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.

Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.
Web Services Overview and Trends David Purcell MnSCU OoC IT.

Web Services Overview and Trends David Purcell MnSCU OoC IT.

Similar presentations

Ads by Google