SOA Security
SOA Security
SOA Security
Security
291
292 SecurityScenarios
These are just some of the concepts important to security, and there are others
such as trust, single sign-on, federation, and so forth. The chapter describes mech-
anisms to address and handle the threats to security, including credentials for
establishing identity, encryption to safeguard the confidentiality of messages,
digital signatures to help verify identity, and secure communication channels
(such as HTTPS) to safeguard messages and data.
Keep in mind that the J2EE 1.4 platform does not invent new security mecha-
nisms. Rather, the platform provides a programming model that integrates existing
security mechanisms, and makes it easier to design and implement secure applica-
tions.
This chapter begins with an examination of some typical Web service security
scenarios. It then covers the security features available on the J2EE 1.4 platform.
Once the technologies are described, the chapter shows how to design and imple-
ment secure Web services using these J2EE technologies. The chapter also covers
the emerging technologies for Web service security, in particular message-level
security.
Application
Web Service Endpoint
Client Web Service
Connector Endpoint
Web Container
❐ However, designing a secure Web service involves more than just securing the
initial interaction between the client and the service. For a truly secure service,
you must also consider the security needs of the Web service endpoint’s sub-
sequent interactions with other J2EE components, resources, and so forth, that
it undertakes to process the request.
Most client requests to a service require the service to access a series of com-
ponents to fulfill the request and each call might have its own, unique security
requirement. This results in a chain of calls to various components, some of which
might be within the initiating component’s security domain and others of which
are outside that security domain. With such a chain of component calls, each
cooperating component in the chain must be able to negotiate its security require-
ments. In addition, components along the chain might use different security proto-
cols. In short, security needs to flow from a client to a called component, then to
other components and resources, while passing through different security policy
domains.
A J2EE application must be able to integrate its own security requirements
and mechanisms with those of different components and systems. For example, a
client might make a request to a Web service. The client call is to an endpoint,
which in turn might call other Web services, make IIOP calls, access resources,
and access local components. Each component—other Web services, local and
Chapter 7 Security 295
7.1.1.1 Authentication
Authentication, or proving one’s identity, is often required by both a Web service
and a client for an interaction to occur. A Web service might require that clients
provide some credentials—such as a username and password, or a digital certificate
such as an X.509 certificate—to help in proving their identity. The client of a Web
service might require that a service provide it with some evidence to help establish
its identity, which typically is done using a digital certificate.
Furthermore, since a Web service might need to access other components and
resources to process a client’s request, there are authentication requirements
between a service and resources that it uses. The service might need to provide
identity information to authenticate itself to resources and components. The
resources and components might also have to prove their identity to the service.
The same authentication requirements hold true between Web services if the
service endpoint needs to access other Web services.
Thus, authentication occurs across different layers and different types of
systems and domains. Passing identity along the chain may also require that the
identity change or be mapped to another principal.
agers or to only users who work for a particular department. In short, all clients are
not equal in terms of their permissions to access or use services or resources.
Because a service endpoint also needs to interact with other components and
resources, the endpoint needs some way to control access to them. That is, the
endpoint needs to be able to specify resources that have restricted access, to group
clients into logical roles and map those roles to an established identity, and, while
processing a service request, to decide whether clients with a particular identity
can access a particular resource.
7.2.1 Authentication
Authentication is the mechanism by which a client presents an identifier and the
service provider verifies the client’s claimed identity. When the proof occurs in two
directions—the caller and service both prove their identity to the other party—it is
referred to as mutual authentication.
Typically, a client interaction with a J2EE application accesses a set of com-
ponents and resource, such as JSPs, enterprise beans, databases, and Web service
endpoints. When these resources are protected, as is often the case, a client pre-
sents its identity and credentials, and the container determines whether the client
meets the criteria for access specified by the authorization rules. The platform also
allows lazy authentication, which allows unauthenticated clients to access unpro-
tected resources but forces authentication when these clients try to access pro-
tected resources. The platform additionally permits authentication to occur at
different points, such as on the Web or EJB tier. The J2EE container handles the
authentication based on the requirements declared in the deployment descriptor.
Not only does the container enforce authentication and establish an identity
when a client calls a component, but the container also handles authentication
when the initially called component makes calls to other components and
resources. Processing a client’s request to a component might require the compo-
nent to make a chain of calls to access other resources and components. Each sub-
sequently called component might have its own authentication requirements, and
these requirements might differ from those of the initially called component. The
J2EE container handles this by establishing an identity with each call along the
chain of calls. The J2EE platform allows the client identity established with the
initial call’s authentication to be associated with subsequent method calls and
interactions. That is, the client’s authenticated identity can be propagated along
the chain of calls.
It is also possible to configure a component to establish a new identity when it
acts as a client in a chain of calls. When so configured, a component can change
the authenticated identity from the client’s identity to its own identity. Regardless
of how it is handled, the J2EE container establishes an identity for calls made by a
component. Also, the J2EE container handles unauthenticated invocations that do
not require a client to establish an identity. This mechanism can be useful for sup-
porting use cases where a client does not have to authenticate.
300 J2EE Platform Security Model
Protection Protection
Domain Domain
c3
c1 c2
Authentication
or Anonymous
c4
Trust Trust
EJB Container
Web Container
Client
Container Enterprise
Bean
Figure 7.3 Using the Web Container to Establish an EJB Tier Protection Domain
Another use case scenario involves sending a SOAP request to an EJB service
endpoint. Since the caller is making the SOAP request over HTTP, the Web
service authentication model handles authentication using similar mechanisms—
basic authentication and mutual SSL—to the Web tier component use case. How-
ever, rather than use a Web component in front of the EJB component, the EJB
container directly handles the authentication. Note that in the J2EE platform, both
Web and EJB tier endpoints support the same mechanisms for Web service
authenication.
A third use case entails calls made directly to an enterprise bean using RMI-
IIOP. This scenario is not common for Web services since they are not accessed with
RMI-IIOP. However, some Web service endpoints, while processing a request, may
need to access a remote enterprise bean component using RMI-IIOP. The Common
Secure Interoperability (CSIv2) specification, which is an Object Management
Group (OMG) standard supported by the J2EE platform, defines a protocol for
secure RMI-IIOP invocations. Using the CSIv2-defined Security Attribute Service,
client authentication is enforced just above the transport layer. The Security
Attribute Service also permits identity assertion, which is an impersonation mecha-
nism, so that an intermediate component can use an identity other than its own.
7.2.2 Authorization
Authorization mechanisms limit interactions with resources to collections of users
or systems for the purpose of enforcing integrity, confidentiality, or availability
Chapter 7 Security 305
constraints. Such mechanisms allow only authentic caller identities to access com-
ponents. Since the J2EE application programming model focuses on permissions,
which indicate who can do what function, authentication and identity establish-
ment occur before authorization decisions are enforced.
After successful authentication, a credential is made available to the called
component. The credential contains information describing the caller through its
identity attributes. Anonymous callers are represented by a special credential.
These attributes uniquely identify the caller in the context of the authority that
issued the credential. Depending on the type of credential, it may contain other
attributes that define shared authorization properties (such as group member-
ships), which distinguish collections of related credentials. The identity attributes
and shared authorization attributes in the credential are collectively represented as
security attributes. Comparing the security attributes of the credential associated
with a component invocation with those required to access the called component
determines access to the called component.
In the J2EE architecture, a container serves as an authorization boundary
between the components it hosts and their callers. The authorization boundary
exists inside the container’s authentication boundary so that authorization is con-
sidered in the context of successful authentication. For inbound calls, the con-
tainer compares security attributes from the credential associated with a
component invocation to the access control rules for the target component. If the
rules are satisfied, the container allows the call; otherwise, it rejects the call.
rity constraints with associated roles also protect Web resource collections, that is,
a URL pattern and an associated HTTP method, such as GET or POST.
Although deployment descriptors define authorization constraints for an
application, security mechanisms often require more refinement plus careful
mapping to mechanisms in the operational environment in which the application
is ultimately deployed. Both the EJB and Web tiers define access control policy at
deployment, rather than during application development. The access control
policy can be stated in the deployment descriptors, and the policy is often adjusted
at deployment to suit the operational environment.
It is also possible during deployment to refine the privileges required to
access components. At the same time, you can define the correspondence between
the security attributes presented by callers and the container privileges. The
mapping from security attributes to container privileges is kept to the scope of the
application. Thus, the mapping applied to the components of one application may
be different from that of another application.
A client interacts with resources hosted in a Web or EJB container. These
resources may be protected or unprotected. Protected resources have authorization
rules defined in deployment descriptors that restrict access to some subset of non-
anonymous identities. To access protected resources, clients must present non-
anonymous credentials to enable their identities to be evaluated against the
resource authorization policy.
You control access to Web resources by properly defining their access ele-
ments in the deployment descriptor. For accessing enterprise beans, you define
method permissions on individual bean methods. See “Handling Authorization”
on page 320.
• The server authenticates itself to clients with SSL and makes its certificate
available.
• The client uses basic authentication over an SSL channel.
• Mutual authentication with SSL, using the server certificate as well as the cli-
ent certificate, so that both parties can authenticate to each other.
not exist, the J2EE platform does not require one. Certificates must be handled in
a manner appropriate to the specific operational environment of the application.
A Web service can be implemented and deployed in either the Web tier or EJB
tier. The security mechanisms are the same at the conceptual level but differ in the
details. The endpoint type determines the mechanism for declaring that a Web
service endpoint requires SSL. For a Web tier endpoint (a JAX-RPC service end-
point), you indicate you are using SSL by setting to CONFIDENTIAL the transport-
guarantee subelement of a security-constraint element in the web.xml deploy-
ment descriptor. This setting enforces an SSL interaction with a Web service end-
point. (See Code Example 7.1.)
<web-app>
<security-constraint>
...
<web-resource-collection>
<web-resource-name>orderService</web-resource-name>
<url-pattern>/mywebservice</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Setting up SSL for EJB tier endpoints varies according to the particular appli-
cation server. Generally, for EJB endpoints a developer uses a description sub-
element of the target EJB component to indicate that the component requires SSL
when deployed. Although EJB endpoints are required to support SSL and mutual
authentication, the specifications have not defined a standard, portable mechanism
for enabling this. As a result, you must follow application server-specific mecha-
nisms to indicate that an EJB endpoint requires SSL. Often, these are application
server-specific deployment descriptor elements for EJB endpoints that are similar
to the web.xml elements for Web tier endpoints.
Chapter 7 Security 311
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Code Example 7.2 Requiring Mutual Authentication for Web Tier Endpoints
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>some_realm_name</realm-name>
</login-config>
Code Example 7.3 Requiring Basic Authentication for Web Tier Endpoints
312 Security for Web Service Interactions
For a Web service with an EJB endpoint, you use the application server-
specific mechanisms to require basic authentication. Often, each application
server’s deployment descriptor includes an element for authentication for an EJB
service endpoint that is analogous to the web.xml auth-method element.
A Web service may also require hybrid authentication, which is when a client
authenticates with basic authentication and SSL is the transport. The client
authenticates with a username and password, the server authenticates with its
digital certificate, and all of this occurs over a HTTPS connection. Hybrid authen-
tication compensates for HTTP basic authentication’s inability to protect pass-
words for confidentiality. This vulnerability can be overcome by running the
authentication protocols over an SSL-protected session, essentially creating a
hybrid authentication mechanism. The SSL-protected session ensures confidenti-
ality for all message content, including the client authenticators, such as username
and password.
Enabling hybrid authentication for a Web service endpoint generally requires
two operations (both previously discussed): setting the transport to use the confi-
dentiality mechanism of HTTPS and setting the authentication of the client to use
basic authentication. For EJB endpoints, you use application server-specific
mechanisms. For Web endpoints, you set deployment descriptor elements. Code
Example 7.4 demonstrates how to configure hybrid authentication by combining
the deployment descriptor choices for basic authentication and confidential trans-
port.
<web-app>
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>some_realm_name</realm-name>
</login-config>
...
</web-app>
Code Example 7.4 Requiring SSL Hybrid Authentication for Web Tier Endpoints
Chapter 7 Security 313
❐ Ensure that you set up an SSL transport for each endpoint that requires basic
authentication. Otherwise, the client authenticator is not fully protected. For
example, for Web endpoints, ensure that the transport-guarantee element of
each protected Web endpoint is set to CONFIDENTIAL for an application using a
hybrid authentication mechanism.
grammatic JAX-RPC APIs to set the username and password properties on stubs
for J2EE components. Thus, J2EE application servers are not required to support
components programmatically setting these identifier values.
If the endpoint requires mutual authentication, the application server instance
environment is set at deployment with the proper certificates such that they are
available to the J2EE container. Since a client component’s deployment descrip-
tors have no portable, cross-platform mechanism for setting these security arti-
facts, they must be set using the particular application server’s own mechanisms.
In other words, an enterprise bean or servlet component that interacts with a Web
service requiring mutual authentication must, at deployment, make the appropri-
ate digital certificates available to the component’s host container. The client’s
container can then use these certificates when the component actually places the
call to the service.
Once the environment is set, a J2EE component can make a secure call on a
service endpoint in the same way that it ordinarily calls a Web service—it looks
up the service using JNDI, sets any necessary parameters, and makes the call. (See
Chapter 5 for details.) The J2EE container not only manages the HTTPS transport,
it handles the authentication for the call using the digital certificate or the values
specified in the deployment descriptor.
identity identity selection policy, both defined in the deployment descriptor. The
container then uses either the calling component’s identity (if the policy is to use the
use-caller-identity) or, for run-as(role-name), a static identity previously des-
ignated at deployment from the principal identities mapped to the named security
role.
Developers can define component identity selection policies for J2EE Web
and EJB resources, including Web service endpoints. If you want to hold callers
accountable for their actions, you should associate a use-caller-identity policy
with component callers. Using the run-as(role-name) identity selection policy
does not maintain the chain of traceability and may be used to afford the caller
with the privileges of the component. Code Example 7.6 shows how to configure
client identity selection policies in an enterprise bean deployment descriptor.
<enterprise-beans>
<entity>
<security-identity>
<use-caller-identity/>
</security-identity>
...
</entity>
<session>
<security-identity>
<run-as>
<role-name> guest </role-name>
</run-as>
</security-identity>
...
</session>
...
</enterprise-beans>
Code Example 7.6 Configuring Identity Selection Policies for Enterprise Beans
Code Example 7.7 shows how to configure client identity selection policies in
Web component deployment descriptors. If run-as is not explicitly specified, the
use-caller-identity policy is assumed.
318 Security for Web Service Interactions
<web-app>
<servlet>
<run-as>
<role-name> guest </role-name>
</run-as>
...
</servlet>
...
</web-app>
Code Example 7.7 Configuring Identity Selection Policies for Web Components
Since Web service calls are likely to cross protection domains, identity propa-
gation mechanisms (such as run-as and use_caller_identity) and security
context are not useful and are not propagated to service endpoints. When a J2EE
component acting as a Web service client specifies the run-as identity or the use-
caller-identity, the container applies that identity only to the component’s
interactions with non-Web service components, such as enterprise beans. Some
vendors may provide mechanisms to propagate identity across protection
domains, but these mechanisms may not be portable.
This brings us to the question of how to establish identity for Web services.
For the client making calls to a service that requires authentication, the client con-
tainer provides the necessary artifacts, whether username and password for basic
authentication or a digital certificate for mutual authentication. The container of
Chapter 7 Security 319
the target Web service establishes the identity of calls to its service endpoint. The
Web service bases this identity on the mapping principals designated by when the
service was deployed, which may be based on either the client’s username and
password identity or the digital certificate attributes supplied by the client’s con-
tainer. However, since no standard mechanism exists for a target Web service to
map an authenticated client to the identity of a component, each application server
handles this mapping differently.
For example, Figure 7.4 illustrates how a caller identifier is propagated from
clients to Web service endpoints and J2EE components. The initial client makes a
request of Web service endpoint X. To fulfill the request, endpoint X makes a call
on entity bean J, which in turn invokes a method on entity bean K. The client caller
identifier A propagates from the endpoint through both entity beans. However,
when entity bean K calls a method on service endpoint Y, since the Web service is
not in the same protection domain, reauthentication must occur. Similarly, when
endpoint X calls endpoint Z, the caller identifier cannot be propagated.
Applications can also use programmatic APIs to check client identity, and use
that client identity to make identity decisions. For example, a Web tier endpoint,
as well as other Web components, can use the getUserPrincipal method on the
HttpServletRequest interface. An EJB endpoint, just like other enterprise bean
components, can use the EJBContext method getCallerPrincipal. An applica-
tion can use these methods to obtain information about the caller and then pass
that information to business logic or use it to perform custom security checks.
Client: request
caller id A
Service
endpoint Entity
response X id A bean J
id A Entity
bean K
reauthenticate
reauthenticate
Service Service
endpoint endpoint
Z Y
<security-role>
<role-name>customer</role-name>
</security-role>
What does this mean in terms of a Web service’s access control consider-
ations? Your Web service access control policy may influence whether you imple-
ment the service as a Web tier or an EJB tier endpoint. For Web tier components,
the granularity of security is specific to the resource and based on the URL for the
Web resource. For EJB tier components, security granularity is at the method
level, which is typically a finer-grained level of control.
Chapter 7 Security 321
Keep in mind, however, that both Web and EJB tier endpoints can use pro-
grammatic APIs for finer-grained security. If you are willing to write code for
access control, then both types of endpoints can be designed to handle the same
security capabilities. However, it is generally discouraged to embed security code
and use the programmatic security APIs in a component. A better approach keeps
the security policy externalized form the application code and uses the declarative
services with deployment descriptors.
❐ If you require finer-grained control for your access control policy, consider us-
ing an EJB endpoint, since it utilizes method-level control.
322 Security for Web Service Interactions
<web-app>
....
<security-constraint>
<web-resource-collection>
<web-resource-name>orderService</web-resource-name>
<url-pattern>/mywebservice</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
...
<login-config>
...choose either basic or client(for mutual authentication)
</login-config>
<security-role>
<role-name>customer</role-name>
</security-role>
</web-app>
<method-permission>
<role-name>customer</role-name>
<method>
<ejb-name>PurchaseOrder</ejb-name>
<method-intf>ServiceEndpoint</method-intf>
<method-name>submitOrder</method-name>
</method>
</method-permission>
Some applications also feature unprotected EJB endpoints and allow anony-
mous, unauthenticated users to access certain EJB resources. Use the unchecked
element in the method-permission element to indicate that no authorization check
is required. Code Example 7.12 demonstrates the use of the unchecked element.
<method-permission>
<unchecked/>
<method>
<ejb-name>PurchaseOrder</ejb-name>
<method-name>getCatalogInfo</method-name>
</method>
<method>
324 Security for Web Service Interactions
...
</method-permission>
<exclude-list>
<method>
<ejb-name>SpecialOrder</ejb-name>
<method-name>*</method-name>
</method>
<method>
...
</exclude-list>
❐ Apply the same access control rules to all access paths of a component. In ad-
dition, partition an application as necessary to enforce this guideline, unless
there is some specific need to architect an application in a different fashion.
When designing the access control rules for protected resources, take care to
ensure that the authorization policy is consistently enforced across all the paths
by which the resource may be accessed. Be particularly careful that a less-
protected access method does not undermine the policy enforced by a more rig-
orously protected method.
❐ Declarative security is preferable to programmatic security. Try to use declar-
ative access control mechanisms since these mechanisms keep the business
Chapter 7 Security 325
logic of the application separate from the security logic, thus making it easier
for the deployer to understand and change the access policy without tampering
with the application code. Generally, programmatic security is hard to main-
tain and enhance, plus it is not as portable as declarative security. Security pro-
gramming is complex and difficult to write correctly, leading to a false sense
of security. Use programmatic mechanisms for access control only when extra
flexibility is required.
❐ If you have multiple Web tier endpoints with varying authentication require-
ments, consider bundling them in different .war files. An application (de-
ployed within an .ear file) may use multiple Web service endpoints. It is
possible that you may require different authentication for these endpoints—
some endpoints may require basic authentication, others may require a client
certificate. Since a web.xml file can have only one type of authentication asso-
ciated with its login configuration, you cannot put endpoints that require dif-
ferent authentication in a single .war file. Instead, group endpoints into .war
files based on the type of client authentication they require. Because the J2EE
platform permits multiple .war files in a single .ear file, you can put these .war
files into the application .ear file.
❐ Provide security policy descriptions in addition to those that the standard
WSDL file provides. The WSDL file is required to publish only a Web ser-
vice’s HTTPS URL. It has no standard annotation describing whether the ser-
vice endpoint requires basic or mutual authentication. Use the description
elements of the deployment descriptor to make known the security require-
ments of your endpoints.
❐ Be careful with the username and password information, because these prop-
erties can create a vulnerability when configuring a client component to use
HTTP basic authentication. Username and password are sensitive security da-
ta, and the security of your system is compromised if they become known to
the wrong party. For example, do not store username and password values in
the application code or the deployment descriptor, and if deployment descrip-
tors do include a username and password, be sure to store the deployment de-
scriptors in a secure manner.
❐ Consider using a “guarding” component between the interaction and process-
ing layers. Set up an application accessor component with security attributes
and place it in front of a set of components that require protection. Then, allow
access to that set of components only through the guarding or front component.
326 Message-Level Web Service Security
(See “Simple Object Access Protocol” on page 33 for more details about SOAP.)
A SOAP message is composed of three parts:
• An envelope
• A header that contains meta information
• A body that contains the message contents
S o a p E n v e lo p e
<security-certificate>
S O A P H e a d e r <X509>
H e a d e r E n try some certificate information
</x509> ...
H e a d e r E n try
S O A P B o d y
<CreditCardNumber>
B o d y E n try
gv26bgftjsbv9wqa
</CreditCardNumber>
B o d y E n try
out the entire system or into the application layer. Having security as part of the
message also makes it possible to persist both the message data and its security
information. For example, perhaps to prove that a message was sent, an applica-
tion may need to persist the message data and the digital signature bound to the
message. Or, to protect against internal threats, an application may need to keep
data in a SOAP message confidential, even to the application layer. HTTPS, since
it only protects a message during transport, cannot give the application layer this
encryption protection for the data.
Web service scenarios that pass messages to multiple participants lend them-
selves to using message-level security. Since message-level security is based on
data origin authentication, an application that passes messages to numerous inter-
mediary participants on the way to the target recipient can verify, at each interme-
diary point and at the final target recipient, that the initial message creator identity
associated with the message is as claimed. In other words, the initial message
content creator’s identity moves with the message through the chain of recipients.
signing, and so forth—as they apply at the message level. For those who want to
explore these emerging standards on their own, here is a partial list of the more
significant JSRs and specifications:
• JSR 105—XML Digital Signatures for signing an XML document. It also in-
cludes procedures for computing and verifying signatures.
• JSR 106—XML Digital Encryption for encrypting parts of an XML document.
• JSR 155—Web Services Security Assertions, which is based on Security and
Assertions Markup Language (SAML), is used for exchanging authentication
and authorization information for XML documents.
• JSR 183—Web Services Message Security Java APIs, which enable applica-
tions to construct secure SOAP message exchanges.
<S:Header>
<wsse:Security>
<wsse:BinarySecurityToken
ValueType="wsse:X509v3"
EncodingType="wsse:Base64Binary" wsu:Id="X509Token">
MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...
Chapter 7 Security 333
</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#myBody">
<ds:Transforms>
<ds:Transform Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
EULddytSo1...
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
BL8jdfToEb1l/vXcMZNNjPOV...
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body wsu:Id="myBody">
<myPO:PurchaseDetails xmlns:myPO=
"http://www.someURL.com/purchaseOrder">
some message content here ...
</myPO:PurchaseDetails>
334 Message-Level Web Service Security
</S:Body>
</S:Envelope>
This XML document shows the SOAP envelope containing the message body
for the purchase order details and the message header, with the digital signature
for the message. The security portion of the header, which is part of the SOAP
message itself, includes or references all the information necessary to describe
and validate the signature details and artifacts, including:
• A description of the signature algorithm and its details, enclosed within the
ds:Signature element.
Since the message-level security specifications are still evolving, the details in
this example may change. Regardless, the example does highlight how to associ-
ate security information with a particular SOAP message and include the security
information as part of the message itself. As message-level security JSRs and
specifications finalize and are incorporated in the J2EE platform, the correspond-
ing Java APIs and the J2EE containers will hide many of these details from the
application developer.
1. You can make the security code and any supporting framework for message-
level security part of your application by placing it in the application’s .ear
file. Although this is the portable approach, it may require more work. You
should consider this approach if your situation necessitates it.
2. You can use application server-specific extensions that explicitly provide mes-
sage-level security. This is the preferred approach. Since vendors try to make
new features available before standards are finalized, some application servers
may offer nonstandard extensions that integrate some message-level security
capabilities. Eventually these specifications may become part of the standard
J2EE platform, but they may differ from the implementations offered by these
early adopters. Although it may not be portable, it is the easier approach and
more likely to provide the intended security.
Some of these technologies are more mature than others. For example, the
Java Web Services Developer Pack (Java WSDP) toolkit has already incorporated
some of the digital signature standards. Java WSDP is an integrated toolkit from
Sun Microsystems that allows Java developers to build and test XML applica-
tions, Web services, and Web applications using the latest Web service technolo-
gies and standards implementations. The Java WSDP toolkit is available at
http://java.sun.com/webservices/. In addition, some Apache Foundation
projects include implementations of emerging message-level security capabilities.
Let’s look at how you might implement a portable strategy to incorporate
message-level security into your J2EE application. Note that while this is possi-
ble, it is not a task for every application developer since it is usually quite difficult
to write truly secure code. You should attempt this only if you feel comfortable
handling security code, since it involves writing a framework for security. How-
ever, it may be a useful strategy if you need to use message-level security today
and cannot wait for it to be incorporated into the J2EE platform.
Suppose you want to add a digital signature to a message involved in a single
exchange between two participants. First, try to leverage existing J2EE technolo-
gies and mechanisms. For example, because JAX-RPC is the primary message
exchange technology for Web service interactions, try to plug in your security
code to the SOAP messages that JAX-RPC exchanges. This may enable your Web
services with message-level security. You can then leverage the JAX-RPC built-in
mechanisms to manipulate the XML messages being exchanged.
Recall from Chapter 2 that JAX-RPC has handlers that provide a mechanism
to intercept a SOAP message at various points during processing of request and
336 Message-Level Web Service Security
response messages. You can use the JAX-RPC handler to interpose on the
message exchange at the points in the interaction where handlers are invoked.
These points are:
Web Service
Endpoint
Handler
SOAP Message
You may want to combine message-level security with other J2EE declarative
and programmatic security mechanisms. For example, you may want to use
HTTPS as the transport protocol even though the document is signed by a
message-level mechanism. If you choose to use any of the J2EE declarative or
programmatic security mechanisms along with JAX-RPC handlers, keep in mind
the order in which the security constraints are enforced:
You can also combine security mechanisms by adding some secure message-
level functionality to an existing transport-level security solution. For example, if
you have an existing Web service that uses SSL, you may want to add message-
level integrity or confidentiality. Adding this security at the message level ensures
that integrity or confidentiality persist beyond the transport layer.
7.5 Conclusion
This chapter explained the J2EE platform security model as it applies to Web
service endpoints and showed how to use the platform security model in different
338 Conclusion