Saturday, November 8, 2008

Web Services Tutorial from SUN

http://java.sun.com/webservices/docs/2.0/tutorial/doc/

The Java Web Services Tutorial addresses the following technology areas:

  • The Java Architecture for XML Web Services (JAX-WS)
  • The Java Architecture for XML Binding (JAXB)
  • The StAX APIs and the Sun Java Streaming XML Parser implementation
  • SOAP with Attachments API for Java (SAAJ)
  • The Java Architecture for XML Registries
  • XML Digital Signature
  • Security in the Web Tier

Sunday, November 2, 2008

WS Security Configuration


  • Security Mechanism. Specifies the approach used for securing the web service. Here, Username Authentication with Symmetric Keys is selected. The Username Authentication with Symmetric Keys mechanism protects your application for integrity and confidentiality. Symmetric key cryptography relies on a single, shared secret key that is used to both sign and encrypt a message. Symmetric keys are usually faster than public key cryptography.

    For this mechanism, the client does not possess any certificate/key of his own, but instead sends its username/password for authentication. The client shares a secret key with the server. The shared, symmetric key is generated at runtime and encrypted using the service's certificate. The client must specify the alias in the truststore by identifying the server's certificate alias. The other security mechanisms are explained later in this tutorial.


    • Mutual Certificates Security. The Mutual Certificates Security mechanism adds security via authentication and message protection that ensures integrity and confidentiality. When using mutual certificates, a keystore and truststore file must be configured for both the client and server sides of the application.
    • Transport Security (SSL). The Transport Security mechanism protects your application during transport using SSL for authentication and confidentiality. Transport-layer security is provided by the transport mechanisms used to transmit information over the wire between clients and providers, thus transport-layer security relies on secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a point-to-point security mechanism that can be used for authentication, message integrity, and confidentiality. When running over an SSL-protected session, the server and client can authenticate one another and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. Security is "live" from the time it leaves the consumer until it arrives at the provider, or vice versa. The problem is that it is not protected once it gets to its destination. For protection of data after it reaches its destination, use one of the security mechanisms that uses SSL and also secures data at the message level.

      Digital certificates are necessary when running secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). The HTTPS service of most web servers will not run unless a digital certificate has been installed. Digital certificates have already been created for GlassFish, and the default certificates are sufficient for running this mechanism, and are required when using Atomic Transactions. However, the message security mechanisms require a newer version of certificates than is available with GlassFish. You can download valid keystore and truststore files for the client and server as described in Updating GlassFish Certificates.

    • Message Authentication over SSL. The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection.
    • SAML Authorization over SSL. The SAML Authorization over SSL mechanism attaches an authorization token with the message and uses SSL for confidentiality protection. In this mechanism, the SAML token is expected to carry some authorization information about an end user. The sender of the token is actually vouching for the credentials in the SAML token.
    • Endorsing Certificate. This mechanism uses secure messages using symmetric key for integrity and confidentiality protection, and uses an endorsing client certificate to augment the claims provided by the token associated with the message signature. For this mechanism, the client knows the service's certificate, and requests need to be endorsed/authorized by a special identity. For example, all requests to a vendor must be endorsed by a purchase manager, so the certificate of the purchase manager should be used to endorse (or counter sign) the original request.
    • SAML Sender Vouches with Certificates. This mechanism protects messages with mutual certificates for integrity and confidentiality and with a Sender Vouches SAML token for authorization. The Sender Vouches method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity provides the confirmation evidence that will be used to establish the correspondence between the subject of the SAML subject statements (in SAML assertions) and SOAP message content. The attesting entity, presumed to be different from the subject, vouches for the verification of the subject. The receiver has an existing trust relationship with the attesting entity. The attesting entity protects the assertions (containing the subject statements) in combination with the message content against modification by another party.

      For this mechanism, the SAML token is included as part of the message signature as an authorization token and is sent only to the recipient. The message payload needs to be signed and encrypted. The requestor is vouching for the credentials (present in the SAML assertion) of the entity on behalf of which the requestor is acting.

      The initiator token, which is an X.509 token, is used for signature. The recipient token, which is also an X.509 token, is used for encryption. For the server, this is reversed, the recipient token is the signature token and the initiator token is the encryption token. A SAML token is used for authorization.

    • SAML Holder of Key. This mechanism protects messages with a signed SAML assertion (issued by a trusted authority) carrying client public key and authorization information with integrity and confidentiality protection using mutual certificates. The Holder-of-Key (HOK) method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity includes a signature that can be verified with the key information in the confirmation method of the subject statements of the SAML assertion referenced for key info for the signature.

      Under this scenario, the service does not trust the client directly, but requires the client to send a SAML assertion issued by a particular SAML authority. The client knows the recipient's public key, but does not share a direct trust relationship with the recipient. The recipient has a trust relationship with the authority that issues the SAML token. The request is signed with the client's private key and encrypted with the server certificate. The response is signed using the server's private key and encrypted using the key provided within the HOK SAML assertion.

  • Use Development Defaults. Select this option to import certificates into the GlassFish keystore and truststore, so that they can be used immediately for development. Because the default certificates are not in an appropriate format to be used in this context, this import is done for you, so that you do not need to do this manually yourself. In addition to importing certificats, a default user is created in the "file" realm, with username "wsitUser". In a production environment, you will probably want to provide your own certificates and user settings, however, in a development environment you may find these defaults useful.


Thursday, October 30, 2008

Definition of Terms

  1. DOM - Document Object Model.
  2. EJB - Enterprise JavaBean
  3. JAX-WS - Java API for XML Web Services
  4. JAXB - Java Architecture for XML Binding
  5. JAXP - Java API for XML Processing
  6. JAXR - Java API for XML Registries
  7. JMS - Java Message Service
  8. JSON - JavaScript Object Notation
  9. REST - Representational State Transfer
  10. SAAJ - SOAP with Attachments API for Java
  11. SAML - Security Assertion Markup Language
  12. SAX - Simple API for XML
  13. SOAP - Simple Object Access Protocol
  14. StAX - Streaming API for XML
  15. UDDI - Universal Description Discovery and Integration. UDDI is a directory service where businesses can register and search for Web services. It is a platform-independent framework for describing services, discovering businesses, and integrating business services by using the Internet.
  16. WCF - Windows Communication Foundation
  17. WS-I - Web Services Interoperability
  18. WSDL - Web Services Description Language. WSDL is an XML-based language for describing Web services and how to access them.
  19. WSIT- Web Services Interoperability Technology
  20. XACML - eXtensible Access Control Markup Language
  21. XKMS - XML Key Management Specification
  22. XML - Extensible Markup Language
  23. XSLT - Extensible Stylesheet Language Transformations

Section 12: Endpoint Design and Architecture

12.1 Given a scenario, design Web Service applications using information models that are either procedure-style or document-style.

12.2 Describe the function of the service interaction and processing layers in a Web service.

12.3 Design a Web service for an asynchronous, document-style process and describe how to refactor a Web Service from a synchronous to an asynchronous model.

12.4 Describe how the characteristics, such as resource utilization, conversational capabilities, and operational modes, of the various types of Web service clients impact the design of a Web service or determine the type of client that might interact with a particular service.

Section 11: General Design and Architecture

11.1 Describe the characteristics of a Service Oriented Architecture (SOA) and how Web services fit to this model.

11.2 Given a scenario, design a Java EE web service using Web Services Design Patterns (Asynchronous Interaction, JMS Bridge, Web Service Cache, Web Service Broker), and Best Practices.

11.3 Describe how to handle the various types of return values, faults, errors, and exceptions that can occur during a Web service interaction.

11.4 Describe the role that Web services play when integrating data, application functions, or business processes in a Java EE application.

Section 10: Web Services Interoperability Technologies

10.1 Describe WSIT, the features of each WSIT technology and the standards that WSIT Implements for each technology and how it works.

10.2. Describe how to create a WSIT client from a Web Service Description Language (WSDL) file.

10.3 Describe how to configure web service providers and clients to use message optimization.

10.4 Create a Microsoft Windows Communication Foundation (WCF) client that accesses a Java web service.

10.5 Describes the best practices for production and consumption of data interoperability between WCF web services and Java web service clients or between Java web services and WCF web service clients.

Section 9: Developing Web Services

9.1 Describe the steps required to configure, package, and deploy Java EE Web services and service clients, including a description of the packaging formats, such as .ear, .war, .jar, annotations and deployment descriptor settings.

9.2 Given a set of requirements, develop code to process XML files using the SAX, StAX, DOM, XSLT, and JAXB APIs.

9.3 Given an XML schema for a document style Web service create a WSDL file that describes the service and generate a service implementation.

9.4 Given a set of requirements, create code to create an XML-based, document style, Web service using the JAX-WS APIs.

9.5 Implement a SOAP logging mechanism for testing and debugging a Web service application using Java EE Web Service APIs.

9.6 Given a set of requirements, create code to handle system and service exceptions and faults received by a Web services client.

Section 8: Security

8.1 Explain basic security mechanisms including: transport level security, such as basic and mutual authentication and SSL, message level security, XML encryption, XML Digital Signature, and federated identity and trust.

8.2 Identify the purpose and benefits of Web services security oriented initiatives and standards such as Username Token Profile, SAML, XACML, XKMS, WS-Security, and the Liberty Project.

8.3 Given a scenario, implement Java EE based web service web-tier and/or EJB-tier basic security mechanisms, such as mutual authentication, SSL, and access control.

8.4 Describe factors that impact the security requirements of a Web service, such as the relationship between the client and service provider, the type of data being exchanged, the message format, and the transport mechanism.

8.5 Describe WS-Policy that defines a base set of constructs that can be used and extended by other Web specifications to describe a broad range of service requirements and capabilities.

Tutorial:

Section 7: Java EE Web Services

7.1 Identify the characteristics of and the services and APIs included in the Java EE platform.

7.2 Explain the benefits of using the Java EE platform for creating and deploying Web service applications.

7.3 Describe the functions and capabilities of the JAXP, DOM, SAX, StAX, JAXR, JAXB, JAX-WS and SAAJ in the Java EE platform.

7.4 Describe the role of the WS-I Basic Profile when designing Java EE Web services.

Section 6: JAXR

6.1 Describe the function of JAXR in Web service architectural model, the two basic levels of business registry functionality supported by JAXR, and the function of the basic JAXR business objects and how they map to the UDDI data structures.

6.2 Create JAXR client to connect to a UDDI business registry, execute queries to locate services that meet specific requirements, and publish or update information about a business service.

Section 5: REST, JSON, SOAP and XML Processing APIs (JAXP, JAXB and SAAJ)

5.1 Describe the characteristics of REST Web Services.
Tutorial:

5.2 Describe the characteristics of JSON Web Services.

5.3 Compare SAOP web services to REST Web Services.

5.4 Compare SAOP web services to JSON Web Services.

5.5 Describe the functions and capabilities of the APIs included within JAXP.

5.6 Describe the functions and capabilities of JAXB, including the JAXB process flow, such as XML-to-Java and Java-to-XML, and the binding and validation mechanisms provided by JAXB.

5.7 Create and use a SOAP message with attachments using the SAAJ APIs.

Section 4: JAX-WS

4.1 Explain JAX-WS technology for building web services and client that communicate using XML

4.2 Given a set of requirements for a Web service, such as transactional needs, and security requirements, design and develop Web service applications that use JAX-WS technology

4.3 Describe the Integrated Stack (I-Stack) which consists of JAX-WS, JAXB, StAX, SAAJ

4.4 Describe and compare JAX-WS development approaches.

4.5 Describe the features of JAX-WS including the usage of Java Annotations.

4.6 Describe the architecture of JAX_WS including the Tools SPI that define the contract between JAX-WS tools and Java EE.

4.7 Describe creating a Web Service using JAX-WS.

4.8 Describe JAX-WS Client Communications Models.

4.9 Given an set of requirements, design and develop a Web service client, such as a Java EE client and a stand-alone client, using JAX-WS.

4.10 Given a set of requirements, create and configure a Web service client that accesses a stateful Web service.
Tutorials:

Section 3: Describing and Publishing (WSDL and UDDI)

3.1 Explain the use of WSDL in Web services, including a description of WSDL's basic elements, binding mechanisms and the basic WSDL operation types as limited by the WS-I Basic Profile 1.1.

3.2 Describe how WSDL enables one to separate the description of the abstract functionality offered by a service from concrete details of a service description such as "how" and "where" that functionality is offered.

3.3 Describe the Component Model of WSDL including Descriptions, Interfaces, Bindings, Services and Endpoints.

3.4 Describe the basic functions provided by the UDDI Publish and Inquiry APIs to interact with a UDDI business registry.
References:

Section 2: SOAP 1.2 Web Service Standards

2.1 List and describe the encoding types used in a SOAP message.

2.2 Describe the SOAP Processing and Extensibility Model.

2.3 Describe SOAP Message Construct and create a SOAP message that contains an attachment.
References:

Tutorials:

Section 1: XML Web Service Standards

1.1 Given XML documents, schemas, and fragments determine whether their syntax and form are correct (according to W3C schema) and whether they conform to the WS-I Basic Profile 1.1.

1.2 Describe the use of XML schema in Java EE Web services
References: