This concludes our discussion of the building blocks of ASP.NET Web Services secu- rity. We hope you now have a fairly good idea of what you can do and how you can use various means to protect your Web Services. We deliberately avoided prescribing any specific approach because you have choices for every type of security functionality— authentication, data protection, access control, and auditing—and the way you com- bine the choices depends largely on the specific risks in your application domain and on your business requirements. To give an example, we show in the next section how these choices were made for our sample application, eBusiness/ePortal. This is also an example of putting everything together and implementing protection for a concrete system based on ASP.NET and other Microsoft technologies. Securing Access to eBusiness Since StoreFrontService acts as a SOAP gateway to the actual business logic and data access layer implemented as a COM+ server, StoreFrontMiddleTier, the middle tier, enforces access control policies. The Web Service only authenticates the incoming SOAP requests, as shown in Figure 8.19. If a user of ePortal wants to see the prices of the items and potentially purchase them, the user has to log in by providing a username and password. The presentation tier at ePortal does not authenticate the user. Instead, it uses the authentication data to perform HTTP basic authentication when making SOAP/HTTP invocations to the eBusiness Web Service hosted by the IIS. Impersonation in this case comes in very handy, for it enables the Web Service to use the client’s identity when calling the COM+ server and accessing other resources. The main drawback of this schema is the neces- sity of mapping ePortal customers and members into OS accounts at the machines run- ning the Web Service and COM+ server at eBusiness. Moreover, both these machines have to share the account database by, for example, being in the same Windows domain. We did not show in this example how to use Microsoft technologies to per- form document-oriented authentication using HTTP modules architecture, since this is far from trivial. SSL is used for protecting data in transit between ePortal and eBusiness, whereas all invocations between the Web Service and COM+ server are protected by DCOM wire protocol cryptographic protection. Given the business scenario for the example, there was no need for message-oriented protection of data. We did not define any comprehensive audit service. Implementing SOAP-specific auditing at the Web Service and at ePortal would require a significant amount of work. Therefore, we just enabled IIS-based logging of requests accessing corresponding URLs. Service continuity has been increased by configuring corresponding IIS and COM+ applications in ePortal and eBusiness to run in individual processes. This allowed us to isolate faults and make sure that, for example, IIS would not crash even if the Web server process failed. 256 Chapter 8 Figure 8.19 eBusiness enforcement of authentication and access control. Summary The purpose of this chapter was to give an example of concrete mechanisms available in the Windows world that realize various security functions for protecting Web Ser- vices. We described four ways of creating Web Services using Microsoft technologies. You can make COM+v1.5 components available to SOAP clients, wrap COM DLLs with configurable bridges provided in the SOAP toolkit, use .NET remoting, or take advantage of ASP.NET. After illustrating the use of ASP.NET for building Web Services on a sample ePortal/eBusiness application, we described the options you have for securing such services. The options match the building blocks of ASP.NET Web Ser- vices: Windows OS, IIS, .NET, and ASP.NET. Once more, we illustrated these concepts by describing the protection of our sample system. Overall, Microsoft products provide a convenient family of technologies to support the security of modest-sized applications with little effort. As soon as your require- ments for authentication, access control, accountability, and availability grow to the enterprise scale, you will need either significant amounts of in-house development or IIS ASP.NET ePortal.aspx eBusiness.comePortal.com SOAP server HTTP Basic Authentication IIS ASP.NET MiddleTier Server Accounts COM+ Web browser Portal.com/ Internet customer HTTP POST DCOM Authentication Username: Password: Login Logout ********* bcustomer1 Impersonates authenticated user Securing .NET Web Services 257 additional third-party products and services to fill the gap. Fortunately, .NET in gen- eral and ASP.NET in particular have a good architecture capable of accommodating various security extensions quite well. If you want to find out more about the security of ASP.NET in general and the security of its Web Services in particular, the online book from Microsoft (2002b) is a good collection of relevant information. In the next chapter, we will describe how to secure Java-based Web Services. As you will see, the style of security solutions for those environments is significantly different than it is for .NET Web Services. 258 Chapter 8 259 In this chapter we will describe how Java platforms may be used to secure Web Ser- vices. One of the promises of Web Services is the ability to make your existing server applications available to your employees, customers, and partners whether they are local or remote, establish a casual connection, or have a long-term relationship with your company. It would seem that Java 2 Platform, Enterprise Edition (J2EE), includ- ing Enterprise Java Beans (EJB), would fit well within this new distributed paradigm. This chapter will show you how the Java community is working to define security to bring the Web Services vision to a reality. While the principles in this chapter apply to a variety of Java implementations, we will often use application servers since they are typical services platforms in Java Web Services scenarios. In the larger context, EJB, defined originally by Sun Microsystems, has gained wide acceptance as the open standard for server component architectures. Products based on the EJB specification have compelling advantages: They shield application devel- opers from many of the low-level object service details (such as transactions and secu- rity), they enable enterprise beans to be moved to another environment with minimal effort, and they are interoperable with other EJB products. All of these capabilities are desirable in a Web Services environment. The software system that supplies the EJB-related services to the application devel- oper is the application server. Application servers, which provide a convenient environ- ment for building distributed business applications, are widely available from a number of vendors, including IBM, BEA, Oracle, Sun, and Iona. Most of these vendors have upgraded their application servers to be Web Services aware. Because application Securing Java Web Services CHAPTER 9 servers are targeted at enterprise deployment, it’s no surprise that security is generally addressed in these architectures. Without a good security solution protecting the cor- porate data on an application server, most businesses would not be willing to make their data accessible to Internet Web clients. This chapter assumes that you have worked with Java applications and EJB, have written programs for some application server, and are familiar with the existing Java security mechanisms as described in Chapter 7, “Security of Infrastructures for Web Services.” We are going to look at how security can be handled in a Java-enabled Web Services environment. Although EJB is, for the most part, a server-side architecture, an enterprise bean can act as a client and call upon other beans, thus fully participating in a Web Services scenario. This chapter will examine how Java applications, as well as EJB servers, can be used in conjunction with Web Services. We will also use the ePortal-eBusiness example that we have been developing in previous chapters to give concrete examples of using Java with Web Services. We will limit detailed examination of our example to the path from the ePortal Web server to a Java server supplying prices for products at eBusiness. The previous chapter used our example to describe how to secure a Web Services system based on Microsoft’s technologies. In this chapter we will replace the COM+ portion of the example with a Java platform. We will also use a Web server other than the Microsoft IIS Web server, and we’ll replace the .ASP layer with the J2EE equivalent. You will notice that the discussion of Web Services security for Java is substantially different from our previous chapter on .NET. The chapters differ because the two tech- nologies approach Web Services in very different ways. .NET provides a specific con- crete Web Services solution that is defined and implemented by a single vendor: Microsoft. On the other hand, Java Web Services represent a whole family of different solutions from a variety of vendors. To ensure that this chapter is relevant across dif- ferent products, we focus on the Java standards that define common system features as well as the security mechanisms of a typical Java application server. Although this chapter spends less time than the previous one on specific Web Services security prod- uct solutions, we do describe the approaches of a few different representative vendors: Sun and IBM as examples of Web Services-enabled Java vendors, and Systinet as a Web Services development platform vendor for non-Web Services applications. Using Java with Web Services Even though Java is a platform-neutral system, it has a few areas that do not yet fully address Web Services requirements. For example, until recently there was no specifica- tion on how to handle SOAP messages, which is one of the basic message protocols of Web Services as they are commonly defined. Ongoing work by the Java Community Process (JCP) is defining a number of these missing pieces. These extensions to Java take the form of Java Specification Requests (JSRs). Some JSRs that are pertinent to Web Services are: ■■ JSR 31 defines a facility for compiling XML schema into Java Classes that parse, generate, and validate documents. ■■ JSR 67 defines APIs to transport Web Service messages. ■■ JSR 101 defines APIs that support XML-based RPC. 260 Chapter 9 ■■ JSR 110 defines APIs to handle WSDL. ■■ JSR 155 defines APIs to exchange SAML assertions. ■■ JSR 183 defines facilities for enabling Java applications to handle secure SOAP messages. As you can see from this sampling of JSRs, Java is being positioned for smooth inte- gration with the Web Services paradigm. The Java model fits well in most cases when it is used as a Web Service. One of the new issues for Java-based Web Services concern the nature of access to a Java container, e.g. a servlet, or an EJB container. Traditionally, a request to a Java container used the HTTP protocol with the request in the HTTP header, cookie, and/or the HTTP POST message. In the Web Services case, the message format is SOAP. The Java container must be prepared to handle SOAP security. However, be aware that traditional Java servers cannot even handle plain SOAP messages, let alone SOAP security, without some upgrading. For example, EJB containers based solely on EJB 2.0 are not able to handle SOAP and SOAP security and thus are not able to participate as a secure Web Service without external help. However, Java containers that have imple- mented the above JSRs are able to handle SOAP security. If you are going to use an EJB application server for deploying a Web Service, be sure that you check whether the ver- sion that you will use has been upgraded to be compliant with the pertinent JSRs. If your container has not been upgraded, which will be the common case for some time, don’t lose hope. A number of products on the market will bridge between a Web Ser- vice request and a traditional EJB application server. We will describe such an approach in our example in a later part of this chapter. Compared to .NET, Java is a mature technology that has been in use for several years. On the other hand, Java has not been used in Web Services until recently. In addition, as you can see from the new JSRs that we just discussed, more work is neces- sary to allow Java to become a full-fledged member of the Web Services world. The transition of the Java security model to Web Services is evolutionary, and builds on existing security mechanisms. The evolutionary approach holds not only for the Java model but also for .NET. Both Java and .NET have concentrated first on perimeter security, as supported by Web servers such as IIS in the case of .NET, and Apache Tom- cat in the case of Java. We will describe the more complete Web Services security model for both Java and .NET in Chapter 10, “Interoperability of Web Services Technologies,” where we address interoperability based on SAML and WS-Security. Let’s now look at a few of the traditional EJB security features and see where they differ when the EJB container is accessed as a Web Service. By “traditional features,” we mean those security features that were defined in the EJB 2.0 Specification. Traditional Java Security Contrasted with Web Services Security The traditional security model for J2EE, as described in Chapter 7, contains a simple and elegant access control policy. EJB security emphasizes a declarative authorization security model called method permissions. Method permissions are specified in the J2EE deployment descriptor. Securing Java Web Services 261 When the client program invokes a method on a target object, the identity of the user (that is, the principal) associated with the calling client is transmitted to the object’s container. The container checks to see whether the caller’s role is in the access control entry associated with the server’s method, as described in the deployment descriptor. If the caller’s role is in the access control entry, the container permits the invocation on the method. Authentication in J2EE is less specified. The specification says that the credentials of an authenticated client may be passed in from a client in the client security context, or authentication may be supplied by a third-party security service. It’s up to the vendor of the J2EE platform to define how to handle authenticated credentials. In the following sections we will discuss how Java-based security relates to Web Ser- vices security requirements for authentication, data protection, and access control. Authenticating Clients in Java Before you check whether an entity is allowed access to a resource, you must deter- mine whether that entity is who it says it is—that is, authenticate the requesting entity, the client. Therefore, we need to obtain the client’s identity and authenticate it. The security mechanism used between the client and server determines how the user’s identity is passed from client to server. For example, if Secure Sockets Layer (SSL) is used for client authentication, SSL passes the client’s identity in the form of a public key certificate, if requested by the server. In the Web Services’ case, the user’s identity is passed as part of SOAP security within the message. We described the various security concepts related to SOAP mes- sages in Chapter 6, “Principles of Securing Web Services.” As you remember, one aspect of SOAP security addresses the security information related to the accessing client, that is, its authentication information and security attributes. The authentication information may be passed as the authentication evidence itself (for example, a pass- word) or as some evidence that the authentication has taken place (for example, a SAML assertion, as described in Chapter 5, “Security Assertion Markup Language”). If you are the requesting party, passing the authentication evidence itself is usually not good security practice, but it is frequently used because it is the easiest method. If this method is used, be sure to guard against the possibility of the evidence being stolen or compromised. Remember, you are handing the security evidence to the Web Service, which may send your security evidence through many intermediates before it reaches its intended target. Therefore, this method should be weighed against the value of the items or information requested and your desire for privacy. Passing a SAML assertion is a more secure method than passing a password, but you still have to guard against stolen or compromised assertions. Therefore, the asser- tion should be signed by the issuer and tied to the SOAP message body by means of a digital signature, allowing a more secure check on the validity of the assertion. Data Protection Another aspect of SOAP security, also described in Chapter 6, is the security of the message itself. All or parts of the message may be signed and/or encrypted. Message confidentiality (encryption) and message integrity (digital signature) are not explicitly 262 Chapter 9 provided by the Java security model, and are assumed to be provided by the underly- ing security mechanism. Controlling Access Once we have authenticated the caller from the incoming SOAP message and pro- tected the data in transit, we may then rely on the Java infrastructure to handle autho- rization in its normal manner. For instance, one of the capabilities of a traditional EJB server is the ability of the container to provide the caller’s identity as part of the request’s context. If an enter- prise bean instance needs to determine the caller identity (say, to perform additional checking), the bean can call getCallerPrincipal and isCallerInRole on the javax.ejb.EJB- Context interface. The process for defining which callers are in which roles is not spec- ified by the EJB security model, and is left up to each container implementation. However, EJB does specify that the container provider supply a tool that the deployer can use to map the roles to specific users. In the EJB security model, the enterprise bean provider sets up the security policy for the bean as part of the deployment descriptor in an EJB jar file. When the bean is deployed, container tools read and interpret the security policy in the deployment descriptor to enable the container to enforce the specified security policy for all bean instances. The container may allow the deployer and system administrator to modify the bean security policy so that it may be customized beyond what was originally set up by the bean provider. More and more container providers, for example, furnish an EJB deployment wizard that includes the security policy setup for the deployment descrip- tor. The EJB deployment wizard may be used later to modify the security policy. Access control entries are an aspect of security policy defined in the bean’s deploy- ment descriptor. The deployment descriptor may include a method permission for each individual bean method. The descriptor may also include a method permission for the entire bean that applies to all methods. A method permission associates a bean’s method with a list of logical privileges or roles. The identities of the requestor are mapped to the roles that are allowed to invoke the method. Credentials, which contain system-certified user information such as identities and roles, are not explicitly represented in EJB, but are supported by the underlying secu- rity mechanism (for example, SSL or Kerberos) that provides the secure authentication between client and server. Because EJB access policy is normally defined in terms of roles derived from the user identity, the credentials usually contain only that identity. However, this is not mandated by EJB. In a Web Services case where SAML is used, both the user’s identity and attributes (such as roles) may be passed in a SAML attribute assertion. How SAML Is Used with Java As you remember from Chapter 5, SAML is XML-based and is a natural mechanism to be used as a security extension for Web Services. But, what about its compatibility with Java? The JCP has released JSR 155, which deals specifically with the use of SAML in Java, in addition to other JSRs that deal with the other Java / Web Services interactions. Securing Java Web Services 263 JSR 155 defines an API for manipulating each of the SAML assertions. In addition, this JSR uses the work of other JSRs to complete the Java use of SAML. For example, JSR 155 uses JSR 105 which, in turn, defines APIs to carry out XML signatures as refer- enced in the SAML specification. XML signatures are ultimately defined in the digital signature specification that has been released by the World Wide Web Consortium (W3C). JSRs that are used by JSR 155: ■■ JSR 109 implements Web Services. ■■ JSR 105 defines APIs for XML signature. ■■ JSR 106 defines APIs for XML encryption. ■■ JSR 104 defines the XML trust services. ■■ JAXRPC defines APIs to use XML-based RPC mechanisms in the Java paradigm. ■■ JAXM defines APIs for XML messaging. ■■ JSR 110 defines the APIs for the WSDL. There is a lot of reuse of the work of other standards organizations as well as the var- ious JSR technical committees that are working on Web Services and XML security. These JSRs, taken together, comprise a complete set of APIs for Java programmers building secure systems for use in the Web Services world. We will not go any deeper into the various JSRs since we are interested in using the Java infrastructure that is built by the providers, not in building the Java systems themselves. The important point is that the Java system you purchase or plan to purchase should follow or plan to follow the specifications previously listed, so that your Java system can have secure interop- erability with other Web-Service-enabled processes that are in your enterprise and with clients that wish to use your services. While your particular Java provider may not have the full range of specifications implemented, they should have a well-defined road map as to when these JSRs will be implemented in their product, if you intend to use that particular brand of Java appli- cation as a foundation for your Web Services. Even if your Java provider does have the ability to handle SOAP messages, this does not mean that it can seamlessly handle secure SOAP messages. You should investigate two areas: 1. How does it accept the user identity? Does it accept a standardized format for the user identity—for example, defined by the WS-Security specification—or does it have some proprietary way of getting the user identity? 2. How does it handle user attributes? Can it accept user roles sent in the request, or does it rely on the pre-Web Services method of requiring you to associate users with roles? Even though your Java provider may advertise itself as Web Services enabled, it may not be Web Services security enabled, or it may require that you bridge different methods of authentication and authorization. Most of these potential problems arise because the client and service are disjoined from each other. They may be in different companies or in different divisions of the same company that do not use the same Web 264 Chapter 9 Services security protocol as your application, if it is not fully compliant with the per- tinent protocols. We will delve into the interoperability problem in the next chapter. In addition to receiving and interpreting SAML assertions, a Java application may have a need to make requests for authentication, attribute, and authorization asser- tions from SAML authorities. SAML defines binding protocols for handling these requests and responses, which we discussed in Chapter 5. At present, the SAML bind- ings only support SOAP and HTTP Post as a means for contacting the services. While these methods could be used, they are not standard messaging protocols for Java. For example, the EJB specification dictates the use of CSI v2 for secure container-to-con- tainer transport. Thus, if the SAML authority is an EJB application server, the binding between the source container and the authority container is caught between two dif- fering specifications. We recommend that you discuss this area with your Java platform provider to deter- mine their solution to this problem. Most application servers do not address this prob- lem. Therefore, you will need to use some third-party product or build an in-house system for accessing the SAML authorities. The most common authority that an appli- cation server will want to use is an authorization service. Thus, you will want to con- struct a SAML authorization query and pass that query to the authorization service. Both of these steps will probably entail some work on your part. Does your application server have the capability to construct an authorization query? If it does, what proto- col does it support to interact with the authorization authority? Does this protocol match the expected protocol of the authorization authority that you intend to use? Next, we will enumerate a few of the steps you should take to determine how diffi- cult or easy it would be to use a particular application server for Web Services. Assessing an Application Server for Web Service Compatibility If your Java platform does not support the JSRs outlined in the previous section, then you will have to create a bridge between the incoming Web Service message and your application. There are some products, such as Systinet WASP, that help you do this. The example that we give later in this chapter uses just such a product. We believe that the example will help you to find a way to bridge between the new world of Web Ser- vices and the “old” world of traditional Java applications. In this section, we will look at how to assess application servers that claim to support Web Service security and what that might mean when you attempt to use them. We recommend a three-step approach to assessing the security capability of the applica- tion server or any Java application that you intend to use as a Web Service provider. We’ll discuss these in the next three subsections. JSR Compliance The list of JSRs that we provided earlier in this chapter provides a convenient way for you to assess whether your application server is Web Service ready. In checking the compliance of your candidate application servers against these JSRs, you might have to contact the sales representative or customer support for the application servers. If Securing Java Web Services 265 [...]... 32 33 Securing Java Web Services 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 . existing Java security mechanisms as described in Chapter 7, Security of Infrastructures for Web Services. ” We are going to look at how security can be handled in a Java-enabled Web Services environment and IBM as examples of Web Services- enabled Java vendors, and Systinet as a Web Services development platform vendor for non -Web Services applications. Using Java with Web Services Even though. of platforms using Web Services technologies. WASP provides three layers of security: low-level, XML, and Web Services security. The low-level security consists of many of the security models that