Jiandong Guo

WSIT Security Samples

WSIT supports multiple standard Web service security technologies. This ensures that it can be used to build security for Web services applications in various environments in an interoperable way.

The existing security samples for WSIT can be divided into two categories:
* Netbeans based sample scenarios
* Packaged sample applications

1. Netbeans Sample Scenarios:

Netbeans provides tooling support for WSIT. It is explained in details in WSIT tutorials how to build WSIT enabled Web services with Netbeans. To facilitate using of security features in WSIT, 11 Netbeans WSIT security profiles are defined:
* Username Authentication with Symmetric Keys
* Mutual Certificates Security
* Transport Security (SSL)
* Message Authentication over SSL
* SAML Authorization over SSL
* Endorsing Certificate
* SAML Sender Vouches with Certificates
* SAML Holder of Key
* STS Issued Token
* STS Issued Token with Service Certificate
* STS Issued Endorsing Token

These profiles covers the most commonly used mechanisms identified in securing Web services.
One may choose a mechanism to use in the application according to the following criterions:
* Level of security: transport or message level
* Type of client credentials: usernam/password, x509 certificate, SAML assertion or issued token from a third party trust authority (STS)
* The role of the client credential played in securing the messages: as a supporting token or as a primary securing token. In the case of supporting token, the messages are usually secured with server's X509 certificate.

While the WIST tutorial gives detailed explaination of theses profiles and how they can be configured through Netbeans in Chapter 6, it also provides six examples for some of the profiles:

* Example: Username Authentication with Symmetric Keys (UA)

* Example: Mutual Certificates Security (MCS)

* Example: Transport Security (SSL)

* Example: SAML Authorization over SSL (SA)

* Example: SAML Sender Vouches with Certificates (SV)

* Example: STS Issued Token (STS)

2. Packaged Sampeles

2.1 In this tech tip Securing Web Services Using WSIT published in Sun Developer Network, we provide a packaged sample for securing Web services with mutual certificates (i.e. both the service and the client have certificates).

We also provide a sample STS and for securing the Web service with issued token from the STS with the same sample by a simple change of policy assertion in the service WSDL.

2.2. WS-Trust sample in WSIT workspace.

This sample, in its simplest form, has three entities: the client, the service and the STS where the client need to authenticate to the STS with username/password and then to access the service with an issued SAML token from the STS.

A sample STSAttributeProvide is also provided for managing the user identity mappings for the STS.

A more complex version of the sample is also provided for plugging in Sun's AccessManager to STS to control the issuing of tokens according to user authentication context and the service targated.

2.3 pricequote sample in WSIT workspace.

In this comprehensive sample, there are two security domains while each domain has its own STS. The two STS' talk to each other in order for a client from one domain to access the service in the other domain. Reliable messaging and secure conversation are also used in this sample.

Posted at 10:46PM Aug 26, 2007 by jiandongg in Sun  |  Comments[2]