Service Component Architecture (SCA) Policy FrameWork V1.0 Ashok Malhotra – Oracle Anish Karmarkar – Oracle David Booz - IBM …

Slides:



Advertisements
Similar presentations
Observations on WS-Policy Ashok Malhotra Oracle Corporation.
Advertisements

Web Service Composition Prepared by Robert Ma February 5, 2007.
IONA Technologies Position Paper Constraints and Capabilities for Web Services
Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
WS – Security Policy Prabath Siriwardena Director, Security Architecture.
OpenCSA Member Section – Service Component Architecture 1 1 SCA Overview Sanjay Patil – SAP Mike Edwards - IBM.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 3 The Basic (Flat) Relational Model.
Software Engineering and Middleware: a Roadmap by Wolfgang Emmerich Ebru Dincel Sahitya Gupta.
7M701 1 Class Diagram advanced concepts. 7M701 2 Characteristics of Object Oriented Design (OOD) objectData and operations (functions) are combined 
Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix.
Software Engineering Module 1 -Components Teaching unit 3 – Advanced development Ernesto Damiani Free University of Bozen - Bolzano Lesson 2 – Components.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Constraints and Capabilities Workshop Oracle Position Ashok Malhotra Greg Pavlik.
Web Service Standards, Security & Management Chris Peiris
Methodology and Tools for End-to-End SOA Configurations By: Fumiko satoh, Yuichi nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi ono.
INTRODUCING SCA Byungwook Cho Nov.2007.
Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Advanced SCA Michael Rowley, Ph.D. Director, Technology Office of the CTO April 28, 2008 TS-3765.
95-843: Service Oriented Architecture 1 Master of Information System Management Service Oriented Architecture Lecture 10: Service Component Architecture.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Copyright 2001 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix A Object-Oriented.
Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 20 Object-Oriented.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
SCA Assembly Model Anish Karmarkar – Oracle Michael Rowley – BEA.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Lab 04.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
Unified Modeling Language © 2002 by Dietrich and Urban1 ADVANCED DATABASE CONCEPTS Unified Modeling Language Susan D. Urban and Suzanne W. Dietrich Department.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Relationships Relationships between objects and between classes.
Dynamic and Selective Combination of Extension in Component-based Applications Eddy Truyen, Bart Vanhaute, Wouter Joosen, Pierre Verbaeten, Bo N. Jørgensen.
1 Policy-Enabling the SCA-based SOA
CSE314 Database Systems Lecture 3 The Relational Data Model and Relational Database Constraints Doç. Dr. Mehmet Göktürk src: Elmasri & Navanthe 6E Pearson.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
® IBM Software Group © 2004 IBM Corporation Developing an SOA with RUP and UML 2.0 Giles Davies.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
1 Web Services Policy Management Greg Pavlik Web Services Architect Oracle Corporation May 11, 2005.
Dr. Rebhi S. Baraka Advanced Topics in Information Technology (SICT 4310) Department of Computer Science Faculty of Information Technology.
SCA Assembly Model Anish Karmarkar – Oracle Michael Rowley – BEA.
Service Component Architecture (SCA) Policy TC … Face to Face Agenda – Jan 24,
Web Services Security Patterns Alex Mackman CM Group Ltd
Service Component Architecture Policy TC Issue 33 Capabilities.
Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.
Chapter 7 Classes and Methods III: Static Methods and Variables Lecture Slides to Accompany An Introduction to Computer Science Using Java (2nd Edition)
Emerging Standards for SOA Seminar Robert Marcus
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. SOA-RM Overview and relation with SEE Adrian Mocan
1 The Relational Data Model David J. Stucki. Relational Model Concepts 2 Fundamental concept: the relation  The Relational Model represents an entire.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
TAG Presentation 18th May 2004 Paul Butler
Access Policy - Federation March 23, 2016
Cryptography: an overview
Inline Vs. External Policy Attachment SCA Policy Framework
Chapter 2 Database System Concepts and Architecture
TAG Presentation 18th May 2004 Paul Butler
Software Connectors.
Distribution and components
Business Process Measures
Chapter 20 Object-Oriented Analysis and Design
Message Queuing.
Presentation transcript:

Service Component Architecture (SCA) Policy FrameWork V1.0 Ashok Malhotra – Oracle Anish Karmarkar – Oracle David Booz - IBM …

SCA Policy Framework SCA Version 1.00, March, 2007 Technical Contacts: Michael Beisiegel, IBM Dave Booz, IBM Ching-Yun Chao,IBM Mike Sabin Ielceanu, TIBCO Anish KarmarkarOracle Ashok Malhotra, Oracle Eric Newcomer, IONA Sanjay Patil, Michael Rowley, BEA Chris Sharp, IBM Ümit Yalçinalp, SAP

Why Policy is Important for SCA n Essentially, Policy provides flexibility – a component can be used in different configurations with different QoS requirements and with different bindings on its services and references. n Policy complexity can be mitigated by starting with simple, relatively abstract requirements which are bound to several concrete realizations.

Why Policy is Important for SCA – 2 Steps 1. Implementation of components which provide services and consume other services. 2. Assembly of components to build business applications through connecting services to references. n In the first step, abstract QoS requirements can be associated with components. n In the second step, these requirements are translated to policies associated with messages passed over service/reference pairs (interaction policies) or on components (implementation policies).

Lesson Plan n Intents – abstract QoS requirements n policySets – map intents to policies n Use of intents and policySets for interaction policies n Mapping intents to policies n Intents for security and reliable messaging n Use of intents and policySets for implementation policies

Intents n Intents are abstract specifications of requirements independent of implementation technology or binding. n The SCA developer uses intents to specify what he needs independent of deployment details which are added later in the process. n For example, he may specify ‘confidentiality’ or ‘reliability’ without specifying: l - How to achieve? l - Detailed characteristics?

Intents (continued) n In fact, he can say a little bit more --- n Intents can be qualified – so he can say, for example, ‘confidentiality.transport’ or ‘confidentiality.message’ n These are called qualified intents. <intent name="sca:confidentiality“ constrains="sca:binding" Protect messages from unauthorized reading.

Intents (continued) -- Profile Intents n A profile intent is a macro – a single name for a collection of intents n It is an intent name that can only be satisfied if all the underlying intents in list are satisfied. <intent name="sca:messageProtection" constrains="sca:binding" requires="sca:confidentiality sca:integrity"> Protect messages from unauthorized reading or modification.

Intents (continued) n The SCA Collaboration will define intents and qualified intents for security, reliability and transactionality as starting points. n SCA Implementations can define other intents for functionality that is important for them.

Policy Sets n At deployment time, intents are mapped to concrete WS-Policies and WS-Policy Attachments via Policy Sets n A Policy Set has the following structure: <policySet name="xs:QName" provides="list of xs:QNames" appliesTo="XPath expression"> *

Intent Maps n intentMaps map qualified intents to concrete policies n Each element associates a qualified intent name with one or more policy assertions (could be wsp:PolicyAttachment) l Each PolicyAttachment element contains a policy expression and a policy subject (what the policy applies to) n All policies in an intentMap are from a single policy domain n policySets aggregate intentMaps to create intent-to-policy mappings for multiple domains

Intent Maps n intentMaps associate intent names with PolicyAttachments: WS-Policy expression plus policy subject <!-- policy expression and policy subject for "transport" alternative --> …... <!-- policy expression and policy subject for "message" alternative” -->...

Policy Sets n Policy Sets can also contain Policies or References to Policies directly, without intent maps. <policySet name="sca:userNameTokenHashPassword" provides="sca:authentication" appliesTo="sca:binding.ws">

Associating Policies with SCA Components n Intents and/or policySets can be associated with any SCA component. n At deployment time intents are mapped into Policies contained in policySets n For example, attaching intents to a service definition or … <binding.binding-type requires="sca:confidentiality" … or

Associating Policy Sets with Bindings n Use binding with an explicitly specified PolicySet n Default alternatives can be overridden or … <sca:binding.binding-type policySets="sns:enterprisePolicy" … or <sca:binding.WS policySet="sns:BasicSecurity" requires="sca:authentication.certificateAuthentication sns:messageProtection.protectBodyAndHeader"/>  Overriding default intent alternatives in the PolicySet

Intents Provided by Bindings n Some binding types may satisfy intents by virtue of their implementation technology. For example, an SSL binding would natively support confidentiality. n Binding instances which are created by configuring a bindingType may be able to provide some intents by virtue of its configuration. n When a binding type is defined in SCA, these properties are declared as values of attributes. n Proprietary implementations on binding types may support different intents. <bindingType type="xs:QName" alwaysProvides="list of intent QNames"? mayProvide = "list of intent QNames"?/>

Recursive Composition <reference name="bar" requires="confidentiality.message"/> n Intents CANNOT be overriden higher up in recursive composition l Intents can be further qualified (i.e. constrained) n Intent set for SCDL element derived from the element and its ancestor elements l See example, both qualified intents MUST be satisfied by the binding/policySets attached to reference “bar” n PolicySets can be overridden

Mapping Intents to Policy Sets n We start with a component with abstract QoS requirements n We want to deploy this with other components in a composite n So, we must find bindings and/or policySets that satisfy the required intents. This is as follows: l Expand out all profile intents l Calculate the required intents set l Remove intents directly satisfied by the binding or implementation l Calculate the explicitly specified policySets l Remove intents satisfied by these policySets l Find the smallest collection of available policySets that satisfy remaining intents

SCA Intents for Reliable Messaging n atLeastOnce: message sent by a client is always delivered. n atMostOnce: message sent by a client is delivered at most once. n exactlyOnce: message sent by client is delivered exactly once. Combination of atLeastOnce and atMostOnce n ordered: messages are delivered in the order they were sent by the client.

SCA Intents for Security n authentication: requirement that the client must authenticate itself in order to use an SCA service. Typically, the client security infrastructure is responsible for the server authentication in order to guard against a "man in the middle" attack. n confidentiality: requirement that the contents of a message are accessible only to those authorized to have access (typically the service client and the service provider). A common approach is to encrypt the message; other methods are possible. n integrity: requirement that the contents of a message have not been tampered with and altered between sender and receiver. A common approach is to digitally sign the message; other methods are possible.

SCA Intents for Security - qualifiers Each of the three basic security intents can be qualified by either “message”, or transport. message: indicates that the facility is provided at the message level transport: indicates that the facility provided by the transport, say, SSL For example: confidentiality.message conveys a requirement that confidentiality be provided at the message level.

Implementation Policies n Intents and PolicySets can be associated with implementations <sca:implementation.* policySets="list of policySet xs:QNames" requires="list of intent xs:QNames"> … <sca:operation name="xs:string" service="xs:string"? policySets="list of policySet xs:QNames"? requires = "list of intent xs:QNames"?/>* … … <policySet provides="sns:logging.trace" appliesTo="sca:implementation.bpel"> Example of non WS-Policy policySet

Security Implementation Policies: Policy Assertions n Authorization controls who can access the protected SCA resources. A security role is an abstract concept that represents a set of access control constraints on SCA resources. This is defined as: Security Identity declares the security identity under which an operation will be executed. This is defined as:

Demo

Thank you! Questions?