Web Services Security Infrastructure

Previous page
Table of content
Next page

In a Web services environment, the choice of deployment infrastructure is greatly influenced by the development and deployment environment, which is typically either the J2EE platform or Microsoft .NET. In both cases, the security infrastructure is expected to provide comparable run-time services for securing the services provider or a consumer's endpoint. These services must address all the mandated security layers, which include the network infrastructure, transport, and messages. Figure 11-2 illustrates a conceptual Web services infrastructure and components of an organization that securely exposes its business applications as XML Web services to a partner organization.

Figure 11-2. Conceptual Web services security infrastructure


Network Perimeter Security

Network infrastructure security is provided by a network firewall, an IP router, or filtering gateways that can enforce access control by examining and filtering the inbound and outbound traffic routed between the networks. The firewall or IP router resides at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. Most network firewalls can filter packets based on their source, protocols, destination addresses, and port numbers. At the protocol level, the network infrastructure security can filter and apply decisions to forward or reject traffic based on the protocol used, such as HTTP, SMTP, or FTP. It can also filter traffic by packet attribute or state of the request.

XML Firewall

The XML firewall is an XML-aware security device or a proxy infrastructure that can perform XML-based security processing operations. It helps in identifying and thwarting content-level threats and vulnerabilities such as malicious messages, buffer overflows, oversized payloads, virus attachments, and so on. It encapsulates access and enforces XML-based security mechanisms and access control policies to the underlying Web service endpoints and WSDL descriptions. Usually, XML firewalls are provided as specialized hardware or an XML-aware agent component that can be plugged in a Web server running on a bastion host. XML firewalls are also required to support XML Web services standards and specifications to enable message interoperability and compliance with the underlying Web services provider infrastructure.

Web Services Infrastructure

The Web services infrastructure is a standards-based platform that deploys application components as XML Web services. These services are accessible over the Internet using XML standards and XML standards-based technologies. In addition, the Web services infrastructure implements mechanisms for discovering and locating XML Web services, descriptions for defining how to use the exposed services, and representations of messages defining how to communicate with a Web services endpoint. For more information about Web services infrastructure basics, refer to Chapter 6, "Web Services SecurityStandards and Technologies."

Identity Provider

The Identity Provider facilitates identity management, single sign-on (SSO), and identity federation for participating applications, service providers, and service requesters. Its primary responsibility is to provide authentication, authorization, and auditing services for all service interactions between the services provider and the requester. It also facilitates identity registration and termination services in conjunction with a user's repository. With Liberty standards compliance, it also enables interoperability and allows the establishment of trusted relationships between communicating service providers and identity providers.

Directory Services

The Directory Services provide mechanisms for storing and managing the user profiles, configuration, policies, and rules for accessing application and network resources. It features a specialized database, standard protocol, and APIs to store and retrieve information. LDAP is a de facto standard for implementing directory services. It defines a lightweight protocol that specifies the data model for representing information, naming, and security and functionalities for storing, accessing, and updating the LDAP information. Directory services provide support for application security mechanisms related to locating and managing PKI certificates and supporting other PKI life-cycle operations. For more information about LDAP, PKI, and digital certificates, refer to Chapter 2, "Basics of Security."



Previous page
Table of content
Next page
Core Security Patterns. Best Practices and Strategies for J2EE, Web Services, and Identity Management
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
ISBN: 0131463071
EAN: 2147483647
Year: 2005
Pages: 204
Authors: Christopher Steel, Ramesh Nagappan, Ray Lai
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Documenting Software Architectures: Views and Beyond
C & Data Structures (Charles River Media Computer Engineering)
Special Edition Using Crystal Reports 10
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy