J2EE Web Services SecurityOverview

Web services are based on the concept of Service-Oriented Architecture (SOA), which enables software components, including application functions, objects, and processes from different systems to be exposed as Web services. Web services represent a composable application solution model based on XML standards such as SOAP, WSDL, UDDI, and standards-based technologies. Web services are self-describing and modular applications that expose their business logic and functionality as services over the Internet. They also provide ways to find, subscribe, and invoke services accessible through the Internet by anyone, anytime, at any location, and using any platform. This ensures that the implementation of Web services applications is compliant with industry standards and enables interoperability and ease of integration with other standards-compliant Web services applications.

With the release of the J2EE 1.4 specification, the J2EE platform introduced newer technologies for enabling J2EE components to participate in Web services and built upon its earlier technologies for its Web services support. J2EE 1.4 is designed to facilitate development and deployment of Web services-based application solutions by supporting Web services providers, requestors, and registries. To develop and deliver Web services, the J2EE platform supports XML-based standards such as SOAP, WSDL, and UDDI using Java technologies such as JAX-RPC (Java API for XML-based RPC), SAAJ (SOAP With Attachment API for Java), and JAXR (Java API for XML Registry). The J2EE platform-based Web services also meet the interoperability and security requirements and standards specified by WS-I Basic profile 1.0.

From a security perspective, ensuring integrity, confidentiality, and trust of a Web service by applying a well-defined security model is very important for implementing Web servicesfor both providers and consumers. Many efforts are currently under way to develop an industry standard for securing XML-based Web services. The most prominent XML security standards (currently available as final or in progress) and their associated standards bodies are:

• XML EncryptionW3C

• XML Signature (XML DSIG)W3C

• WS-Security (WSS)OASIS

• Security Assertions Markup Language (SAML)OASIS

• XML Access Control Markup Language (XACML)OASIS

• XML Key Management Services (XKMS)W3C

• Service Provisioning Markup LanguageOASIS

• Extensible Rights Management Language (XrML)

• XML Common Biometric Format (XCBF)OASIS

In J2EE-based Web services, defining a comprehensive Web services security model involves integration of Java security mechanisms and technologies with the evolving set of Web services security technologies. The J2EE Web service security model builds on the core J2EE security mechanisms and services used for securing Web-tier and EJB-tier components. It leverages the existing J2EE platform's authentication and access control mechanisms for securing Web services applications while maintaining the integrity and confidentiality of Web services interactions and messages. Within this context, the J2EE platform currently addresses Web services security with the following two goals:

Transport-level security: Securing the message transport and the network layer forms the foundation for Web services security, because we know Web services operate across endpoints as point-to-point or intermediary-based multi-hop topology. J2EE Web services offer end-to-end security by securing sessions with authentication, data integrity, and confidentiality. J2EE adopts HTTP over SSL/TLS (HTTPS) for communication and uses digital certificates to secure the data being sent as encrypted and then decrypted upon receipt prior to processing. Both the J2EE-based Web services requestor and provider encrypt all traffic before sending and receiving any data. For authentication, J2EE Web services leverage Web-tier authentication schemes such as Basic Authentication over SSL and Client-Certificate/Mutual Authentication between the service provider and the requester.

Message-level security: Securing the SOAP messages that are transmitted across Web services end-points becomes very important to providing security of a message and its elements. J2EE leverages XML Encryption and XML Signature standards-based security mechanisms to provide message-level integrity and confidentiality. Using JAX-RPC security mechanisms, the message is secured by encrypting and signing, which ensures tamper-proof transmission to the intended recipient and vice versa.

Both transport-level and message-level security are provided by the JWSDP toolkit that includes a Web services security implementation. At the time of writing this book, JAX-RPC supported OASIS WSS 1.0, also referred to as the WS-Security Standard. For more information and further details about Web services security and applied techniques, refer to Chapter 6, "Web Services SecurityStandards and Technologies," and Chapter 11, "Securing Web ServicesDesign Strategies and Best Practices."