New trust features in Metro 1.3
A new ws-trust sample is available in Metro, the Web services stack for Glassfish.
This sample illustrates some of the exciting new features and use cases introduced in Metro 1.3, including:
1. Use Issued Saml assertion with SAMLToken policy assertion to authenticate to the service. An independent STS call on the client side with IssuedTokenManager
is required in this case. This shows how to use STS in more general context going beyond the specific IssuedToken policy assertion pattern.
2. Use the WS-Trust validation binding to validate the issued SAML assertion with the STS on the service side.
With these new features, I believe more interesting applications can be built on top of Metro.
Here is a brief description of the message flows in the sample:
1. The client obtains the service WSDL with policy. The policy has a SAMLToken
assertion as a SignedSupportingToken indicating that a SAML assertion is required
to access the service.
2. The client makes a calls to the STS in its SamlCallbackHandler to request for an SAML assertion.
3. The client calls the service with the SAML assertion from the STS.
4. The service calls the STS to validate the SAML assertion in its SamlValidator.
Posted at 11:07PM Jul 03, 2008 by jiandongg in Sun | Comments[0]
JavaOne Talk
I will give a talk in 2008 JavaOne together with Symon Chang of BEA.
Here is the information.
Session Date/Time:
Wednesday
05/07/2008
7:30 PM -8:20 PM
Session ID:
BOF-5590
Session Title:
Java™ Technology for Web Services Secure Exchange: New WS-SX Standards in Action
Session Description:
WS-SecurityPolicy 1.2, WS-SecureConversation 1.3, and WS-Trust 1.3 are three new standards from the OASIS Web Services Secure Exchange (WS-SX) Technical Committee (TC). On top of OASIS WS-Security, these three new standards will enable developers on the Java™ platform to make enterprise Java technology-based web services applications more efficient and more secure in a large, distributed service-oriented architecture (SOA) environment.
This session delves into the Oasis WS-SX standards and discusses the web services security essentials for enterprise technology developers on the Java platform. It presents best practices for end-to-end interoperability and security scenarios and recommends the best strategy for deploying WS-Security together with WS-SecurityPolicy, WS-SecureConversation, and WS-Trust. It provides guidance for how these technologies should be used in the real world.
The presentation also discusses issues of interoperability among different vendors on different platforms with these three security exchanges and makes recommendations on how to ensure interoperability with various web services security scenarios.
Attendees who have a basic knowledge of web services, SOA, and WS-* standards and want to implement web services security will benefit the most from this session. The speakers are WS-SX TC members with expertise in the web services security arena. They are ready to answer any deep technical questions on fields related to Java platform and web services security.
Posted at 10:47PM Apr 06, 2008 by jiandongg in Sun | Comments[0]
ws-sx sample in Metro
A sample for OASIS WS-SX standards based scenario is available now:
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/src/fs-wssx/
Check the readme for how to set up and run the sample:
https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/readme.txt?rev=1.8&view=log
Posted at 12:29PM Feb 06, 2008 by jiandongg in Sun | Comments[0]
Issuing SAML token of Bearer type
We add the support of issuing SAML assertions of bearer type where there is no proof keys associated
with the assertions. Before that, we only support issuing SAML assertions of AsymmetricKey or SymmetricKey proof key types.
For a service, IssuedToken of Bearer key type should only be used as a SignedSupportingTokens or SupportingToken, since it has no keys associated for encryption or signing purpose. We don't have Netbeans support for this use case yet but one may manually enable it. Here is the steps:
1. Create a service secured using IssuedToken as a supporting token:
https://wsit-docs.dev.java.net/releases/1-0-FCS/WSIT_Security4.html#wp129484
2. Changed the EndorsingSupportedTokens to SignedSupportingTokens.
3. Changed the value of the KeyType element in the RequestSecurityTokenTemplate to
1) ws-sx version: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2) previous version: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey.
No manual change required on the STS and client side.
Bearer key type is also used by the Windows Cardspace as default with a thin client fro Browser based Web site.
Posted at 04:27PM Feb 04, 2008 by jiandongg in Sun | Comments[0]
Support for OASIS WS-SX standards in Metro
We provide support for OASIS WS-SX standards WS-SecurityPolicy 1.2, WS-SecureConversation 1.3 and WS-Trust 1.3 in the current build of Metro. This will be included in the up-coming Metro 1.2 release as EA features. No Netbeans tooling support is avialbale yet. However one can manually modify the wsdl and configuration produced from Netbeans to produce WS-SX based service and STS. This applies to all the existing security scenarios using previous versions of WS-Trust and WS-SecureConversation.
1. Create a service secured with WS-SX:
First create a service with Netbeans using an IssuedToken from an STS and/or secure conversation for the security.
Then make the following the changes for the service WSDL:
1) Change the all the occurence of WS-SecurityPolicy namespace from
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
to
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702".
The change must also apply to the IncludeToken attribute.
2) Change all the occurence of the WS-Trust namespace from
"http://schemas.xmlsoap.org/ws/2005/02/trust"
to
"http://docs.oasis-open.org/ws-sx/ws-trust/200512".
This mainly applies to the element in the RequestSecurityTokenTemplate in
IssuedToken policy assertion and what used for Action.
3) Change the policy assertion Trust10 to Trust13.
2. Create STS of WS-SX version:
First Create an STS using Netbeans. (See also my blog entry for creating an customer STS). Then follow the above steps 1), 2) and 3)
to make the namespaces and policy assertion changes.
3. Using WS-Policy 1.5 with WS-SX:
With the service and STS produced from 1 and 2, WS-Policy 1.2 is used.
One may also use the standard WS-Policy 1.5 from W3C with WS-SX support.
For this,
1)Change all the occurence of the WS-Policy namespace from
"http://schemas.xmlsoap.org/ws/2004/09/policy"
to
"http://www.w3.org/ns/ws-policy"
2) Using addressing metadata:
Remove the policy assertion UsingAddressing.
And then add the following assertion instead to enable Addressing:
<wsam:Addressing>
<wsp:Policy>
<wsam:AnonymousResponses />
</wsp:Policy>
</wsam:Addressing>
where
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
Alos change the prefix for Action to wsam (e.g wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue").
This mainly address the use of WS-SX for existing features. There are also some new features introduced for Metro 1.2 which will be described in the subsequent blogs.
We will also provide samples with WS-SX in the current WSIT workspace.
Posted at 10:55PM Feb 03, 2008 by jiandongg in Sun | Comments[2]
New poem from Jerry
The Wish from a Dish
By Jerry
One day I found a little dish,
I took it out to make a wish,
I wished for a cookies munch,
and take it out for extended-care lunch.
I never had a true wish from the dish.
I sang a song with all my wishes,
but it never came to any dishes,
Then I found that wishes can't always come true.
Posted at 04:09PM Nov 15, 2007 by jiandongg in Personal | Comments[0]
Web Services Interoperability Plugfest
We participated the latest Web Services Interoperability Plugfest hosted in Microsoft last week. Harold has a detailed report of the testing result in his blog.
This is the fourth time I have been to Redmond for the Plugfests. I was focused on the WS-SX scenarios this time. WS-SX covers Oasis standard versions of
WS-Trust1.3, WS-SecureConversation1.3 and WS-SecurityPolicy1.2. W3C standards WS-Policy 1.5 as well as WS-Addressing 1.0 are also used in the tests.
The testing scenarios are rather comprehensive which conver various combinations of the following:
Protection:
1. TransportBinding where SSL is used to protect the messages.
2. SymmetricBinding with X509Token of the server
3. AsymmetricBinding with X509Tokens of the client and the server
Client Authentication Token:
1. Usernam/Password
2. X509 certificate
Issued Tokens from STS:
1. Token Type: SAML 1.1
2. Proof Key Type:
2.1 Symmetric Key
2.2 Public Key with Client X509 certificate
2.3 Optionally Public Key with ephemeral RSA key pairs from the client
2.4 No proof key with Bearer key type
Bootstrap client authentication token for Secure Conversation:
1. X509 certificate
2. Issued Token from an STS
For secure conversation, we tested both the issuance and the cancellation bindings.
As reported by Harold, we have successfully passed most of the testing scenarios.
The only remaining issue is that we have not completed the support of KeyValueToken for use with issued token of public proof key type with ephemeral RSA key pairs.
Posted at 11:25AM Nov 14, 2007 by jiandongg in Sun | Comments[0]
Metro and Netbeans for secure conversation
WS-SecureConversation introduces a handshake process which allows the
client and the service to authenticate to each other and to establish
a shared security context at the begining. This context contains a shared
secret key that can be used to secure the subsequent messages. This significantly
impoves the performance with multiple messages.
With WSIT and Netbeans, it is easy to enable secure conversation for your applications. Among 11 Netbeans WSIT security profiles (WSIT tutorial, chapter 6) defined, secure conversation can be enabled for the following ones:
Username Authentication with Symmetric Keys
Mutual Certificates Security
Message Authentication over SSL
Endorsing Certificate
SAML Sender Vouches with Certificates
SAML Holder of Key
STS Issued Token
STS Issued Token with Service Certificate
STS Issued Endorsing Token
To ensable secure conversation with any of the above mechanisms:
once you get here with Netbeans to configure the security mechanism (See
WSIT tutorial for more details),
click the "Configure" button:
Check the "Establish secure session (secure conversation)".
Then secure conversation is enabled for this project and the security mechanism configured is used in the boot strap (handshake)process for establishing the secure session.
In general if you want to secure your Web services with more than one message to send in the transaction, you should enable secure conversation.
Posted at 10:11PM Oct 28, 2007 by jiandongg in Sun | Comments[0]
Metro Security Resources
The following resources help you to understand the security features of Metro/WSIT and how to use those features to secure Web services in your applications.
1. This is a good overview of WSIT including security features by Arun:
https://wsit.dev.java.net/docs/tango-overview.pdf
2. WSIT tutorials contains how to use and configure various Web services security features with Netbeans:
https://wsit-docs.dev.java.net/releases/1-0-FCS/WSIT_Security.html#wp113333
3. Here is a white paper about WS-Trust (an advanced feature in Web services security) support in WSIT:
https://wsit.dev.java.net/docs/trust-whitepaper.pdf
4. Check my blog with a summary of WSIT based Web service security samples:
http://blogs.sun.com/trustjdg/entry/wsit_security_samples
5. Our JavaOne presentation give an overview of security features in WSIT:
http://blogs.sun.com/ashutosh/entry/slides_for_bof_4108_at
6. This blog entry of Kumar gives a summary of WS-Security and WS-SecurityPolicy support in Metro 1.0 and the plan in the future. It also explains the Proprietary security configuration used.
http://weblogs.java.net/blog/kumarjayanti/archive/2007/09/metro_10_securi.html
Posted at 10:31PM Oct 21, 2007 by jiandongg in Sun | Comments[0]
WS-Trust in WSIT 1.0
WSIT 1.0 is released today in line of the release of Glassfish V2. WS-Trust is supported in WSIT 1.0 as a major security feature.
Here is a summary of the WS-Trust support in WSIT:
1. Support for token issuance protocol
2. Support for Security Token Service (STS) Framework for building STS as a
independent Web service.
3. Client and Service Authentication and Security with issued tokens from STS
within the general framework of WS-Security and WS-SecurityPolicy.
More about STS support:
1. Provide a general framework for building STS as an Web service for issuing
security tokens.
2. Authentication and secure communication between client and STS handled in the
same way as for a regular Web service.
3. Support for issuing SAML1.0, SAML 1.1 and SAML2.0 tokens by default.
4. Support for issuing symmetric key and public key (partially)
5. Extensible to support for issuing other types of tokens
6. Allows for plugging-in authorization mechanisms for controlling the issuing of
the tokens according to the user's identity and the targeted service.
7. Allows for plugging-in user mappings for controlling the user
identity/attributes carried in the SAML token issued by STS for different services.
Posted at 01:48PM Sep 17, 2007 by jiandongg in Sun | Comments[0]
WS-SecureConversation in WSIT 1.0
WSIT 1.0 is released today in line of the release of Glassfish V2. WS-SecureConversation is supported in WSIT 1.0 as a major security feature. WS-SecureConversation, built on top of the general mechanisms
defined in WS-Security and WS-Trust, provides a way to establish security context (session) for more efficient communication and better security for multiple message exchanges between a cleint and a service.
Here is a summary of the WS-SecureConversation support in WSIT:
1. SCT Binding of WS-Trust (Issuance binding) for establishing security context
2. Embedded STS for issuing SCT - each WSIT enabled Web service can act as an STS for managing security context.
3. Security context concellation
4. Extensible SessionManager to persist security contexts for Web farms
5. Align with WS-RM to secure reliable messaging sessions.
6. SecurityContextToken for securing messages in the framework of WS-Security
7. Support for Key Derivation and KeyDerivedToken with various types of tokens.
8. Using Netbeans, enabling secure converation is just a click of a button on top of any security profiles.
9. Overall, performance improvement using secure conversation is significant, of 250 to 450 percent depending on the size of messages and the number of messages sent.
Posted at 01:18PM Sep 17, 2007 by jiandongg in Sun | Comments[0]
WSIT Security Samples
WSIT supports multiple standard Web service security technologies. This ensures that it can be used to build security for Web services applications in various environments in an interoperable way.
The existing security samples for WSIT can be divided into two categories:
* Netbeans based sample scenarios
* Packaged sample applications
1. Netbeans Sample Scenarios:
Netbeans provides tooling support for WSIT. It is explained in details in WSIT tutorials how to build WSIT enabled Web services with Netbeans. To facilitate using of security features in WSIT, 11 Netbeans WSIT security profiles are defined:
* Username Authentication with Symmetric Keys
* Mutual Certificates Security
* Transport Security (SSL)
* Message Authentication over SSL
* SAML Authorization over SSL
* Endorsing Certificate
* SAML Sender Vouches with Certificates
* SAML Holder of Key
* STS Issued Token
* STS Issued Token with Service Certificate
* STS Issued Endorsing Token
These profiles covers the most commonly used mechanisms identified in securing Web services.
One may choose a mechanism to use in the application according to the following criterions:
* Level of security: transport or message level
* Type of client credentials: usernam/password, x509 certificate, SAML assertion or issued token from a third party trust authority (STS)
* The role of the client credential played in securing the messages: as a supporting token or as a primary securing token. In the case of supporting token, the messages are usually secured with server's X509 certificate.
While the WIST tutorial gives detailed explaination of theses profiles and how they can be configured through Netbeans in Chapter 6, it also provides six examples for some of the profiles:
* Example: Username Authentication with Symmetric Keys (UA)
* Example: Mutual Certificates Security (MCS)
* Example: Transport Security (SSL)
* Example: SAML Authorization over SSL (SA)
* Example: SAML Sender Vouches with Certificates (SV)
* Example: STS Issued Token (STS)
2. Packaged Sampeles
2.1 In this tech tip Securing Web Services Using WSIT published in Sun Developer Network, we provide a packaged sample for securing Web services with mutual certificates (i.e. both the service and the client have certificates).
We also provide a sample STS and for securing the Web service with issued token from the STS with the same sample by a simple change of policy assertion in the service WSDL.
2.2. WS-Trust sample in WSIT workspace.
This sample, in its simplest form, has three entities: the client, the service and the STS where the client need to authenticate to the STS with username/password and then to access the service with an issued SAML token from the STS.
A sample STSAttributeProvide is also provided for managing the user identity mappings for the STS.
A more complex version of the sample is also provided for plugging in Sun's AccessManager to STS to control the issuing of tokens according to user authentication context and the service targated.
2.3 pricequote sample in WSIT workspace.
In this comprehensive sample, there are two security domains while each domain has its own STS. The two STS' talk to each other in order for a client from one domain to access the service in the other domain. Reliable messaging and secure conversation are also used in this sample.
Posted at 10:46PM Aug 26, 2007 by jiandongg in Sun | Comments[2]
Enable STS MEX endpoint
Back on this March, I published a tech tip in Sun Developer Network for securing Web services using WSIT with or without an STS.
Accomanying the tip, I also provided a sample application package.
Since then the MEX service for a Web service is implemeted as a seperate endpoint
in WSIT. With this change, to run the sample application of STS version with the current build of WSIT, one need to manually enable the MEX endpoint for the STS with the following modifications to the sample:
1. Add the entry
<endpoint
name="sts_mex"
implementation="com.sun.xml.ws.mex.server.MEXEndpoint"
url-pattern="/sts/mex" />
to the file etc\sts\sun-jaxws.xml.
2. Add the entry
<servlet-mapping>
<servlet-name>sts</servlet-name>
<url-pattern>/sts/mex </url-pattern>
</servlet-mapping>
to the file etc\sts\web.xml.
Posted at 11:19PM Aug 22, 2007 by jiandongg in Sun | Comments[0]
WS-Trust support in WSIT: a white paper
A new white paper:
Building Trust in Web services with Security Token Service is available. This article explains how to build a SecurityTokenService (STS) with WSIT as a trust authority in Web services, and how to secure Web services and Web servcies clients with issued tokens from an STS. If you want to build secure solutions in a distributed world with Web services, this article is for you.
Posted at 09:54PM Aug 07, 2007 by jiandongg in Sun | Comments[1]
Burton Catalyst WS-I BSP 1.0 interop event
This event was held on Thursday night, June 28, 2007. Ramesh and I were there for Sun.
The interoperability demo is based on the WS-I BP 1.0 Supply Chain Management sample application. This sample application consists of multiple services which
need to interact with each other. The communications among the services are secured with the WS-I BSP 1.0 secure profile.
The event went smoothly as expected. Each vendor showcased the BSP 1.0 interoperability succesfully by using its own client service and different vendor's implementations for the other services.
As for Sun, we use Glassfish v2 for the implementation of the sample application with WSIT for BSP 1.0 support.
WSIT supports multiple Web services security standards for interoperability with .Net 3.0 platform. These include WS-Security 1.0 and 1.1, WS-SecurityPolicy, WS-SecureConversation and WS-Trust.
This event showcased that Glassfish v2/WSIT is also WS-I BSP 1.0 compliant which
ensures broader interoperability for basic Web services security use cases.
Posted at 11:28PM Jul 01, 2007 by jiandongg in Sun | Comments[1]