Java-Based Web Services Security Providers

With the overwhelming success of Java in Web and pervasive applications running on a variety of platforms and devices, the Java platform has become the de facto run-time environment for multiplatform Web-services providers. With the release of J2EE 1.4, the J2EE platform allows development and deployment of Web services by enabling J2EE components to participate in Web services. Today there is a long list of technology vendors that provide Java-based infrastructure solutions for delivering Web services.

At the time of the writing of this book, the following vendors offered Java-based Web-services implementation based on the OASIS WS-Security specification.

Sun JWSDP

Java Web Services Developer Pack (JWSDP) is a Web services development kit that provides build, deploy, and test environments for Web-services applications and components. It brings together a set of Java APIs and reference implementations for building XML-based Java applications that support key XML Web services industry-standard initiatives such as SOAP, WSDL, UDDI, WS-I Profiles, XML Encryption, XML Digital Signature, and WS-Security. At the time of writing this book, Sun Microsystems released JWSDP 1.5, which includes the following APIs and tools for Web services:

• Java API for XML-based RPC (JAX-RPC)

• Java Architecture for XML Binding (JAXB)

• Java API for XML Registries (JAXR)

• XML and Web Services Security

• XML Digital Signature

• Java API for XML Processing (JAXP)

• SOAP with Attachments API for Java (SAAJ)

JWSDP 1.5 also implements the WS-I Basic profile 1.1 and WS-I Basic Attachment profile for enabling interoperability.

WS-Security in JWSDP

The JWSDP 1.5 provides full implementation of the OASIS Web Services Security 1.0 (WS-Security) specification as XWS-Security APIs for providing message-level security for SOAP messages. This allows representing message-level security mechanisms based on XML encryption and XML Digital signatures. It also provides support for applying authentication credentials such as username/password and certificates.

J2EE 1.4

With the release of J2EE 1.4, the J2EE platform allows enabling selected J2EE components to participate in Web-services communication. It adopts APIs and reference implementations from JWSDP. As a key requirement, it mandates the implementation of the JAX-RPC 1.1 and EJB 2.1 specifications that address the role of Web services and how to expose J2EE components as Web services. In compliance with WS-I Basic profile guidelines, J2EE ensures interoperability with all Web-services providers that adhere to WS-I specifications. The J2EE Web services security builds on the existing J2EE security mechanisms for securing Web-service interactions by adopting a flexible security model that uses both declarative and programmatic security mechanisms. In addition, it also allows incorporating security mechanisms used for Web services built using JAX-RPC and SAAJ.

Sun Java System Access Manager

The Sun Java System Access Manager is a standards-based authentication and authorization framework for securing resources that include applications and Web services. Based on J2EE architecture and API, it offers a Java-based implementation for providing Web-services security, including support for the OASIS WS-Security, SAML, and Liberty alliance specifications.

VeriSign TSIK and XKMS Services

The VeriSign Trust Services Integration Kit (TSIK) provides a Java API framework for XML Web-services security. It provides a set of Java APIs and reference implementations for securing XML Web services based on industry-standard initiatives such as XML Encryption, XML Digital signature, OASIS WS-Security, SAML, and XKMS.

VeriSign XKMS Services

The VeriSign XKMS service is a Web services interface to VeriSign-managed PKI. Based on Web-services security standards, the VeriSign XKMS service can be accessed in real time via Web services instead of via Java-based API mechanisms, RSA BSAFE, or Microsoft API. The service allows real-time authentication of Web services providers and requesters using digital certificates and PKI. The VeriSign XKMS Web services are publicly accessible at http://xkms.verisign.com. The VeriSign XKMS trust services offers the following PKI functions accessible to XML Web-servicesbased application solutions.

• Generating and registering the signing key pairs

• Locating the public key

• Verifying and validating the key

• Revocation and recovering keys

RSA BSAFE Secure-WS

The RSA BSAFE Secure-WS toolkit provides both Java and C implementations that allow encryption and decryption of SOAP messages as well as signing and validating digital signatures in accordance with the OASIS WS-Security specification. It allows representing security tokens that include username/password, X.509 certificates, RSA SecurID tokens, Kerberos tickets, and SAML assertions. The Java version has full support for standard JCE providers in addition to BSAFE Crypto-J with FIPS-140 compliance.

In addition to the above products, there are a number of Java-based security toolkits from leading industry vendors, and open source initiatives are available that provide support for building Web services security. Before adopting these solutions, it is quite important to verify their support of the current and evolving Web-services security standards and specifications. Their meeting of architectural requirements, particularly with regard to interoperability, high-availability, reliability, manageability, auditability, and other QoS considerations is especially important.