The subtitle of this book is an apt indication of many developers’ and technologists’ confusion in understanding and using the many emerging, still immature, and overlapping standards that are being applied to Web services (WS). The book is an excellent attempt to put the standards and their applicability in a framework, in order to demonstrate how each of them can be used to accomplish a part of the enormous task of securing Web services.
Even the table of contents of the book is helpful: instead of merely listing and explaining the components of WS-Security, the reader is guided through the subject, starting with a general understanding of WS security and the foundations of Web services, then moving to identity management and confidentiality, and integrity support in distributed messaging. A chapter on portable authentication and authorization follows, beginning the part that addresses secure simple object access protocol (SOAP) messaging, access control, security policies, trust, and rights management. The concluding chapter (chapter 10) illustrates the process of building secure Web services using BEA software. At the end of the book, there is an appendix on security, cryptography, and basic protocols.
The book is written for technical architects and developers, but has enough background information to be accessible and useful for information technology (IT) managers at various levels. The book is not a programming reference, but it includes multiple code examples that developers will find useful, especially in chapter 10, a technical illustration for developers.
Chapter 1, “Web Services Basics,” begins with the fundamentals of Extensible Markup Language (XML), SOAP, and Web services definition language (WSDL), with a short section on universal description, discovery, and integration (UDDI), followed by a brief description of contexts (portals, application integration) where Web services can be used. The chapter goes on to explain a few core concepts of modern cryptography and authentication, authorization, and accounting (AAA), and concludes by discussing the components of Web services security (XML signature, XML encryption, SAML, and WS-Security).
Chapter 2, “The Foundations of Web Services,” builds on the concepts introduced in chapter 1, to evaluate, in more detail, the business and technological contexts of Web services usage, compare Web services with COM and common object request broker architecture (CORBA), analyze XML core standards as well as SOAP structure, and elucidate security challenges in Web services. The chapter also provides additional information on WSDL and UDDI, and touches upon e-business frameworks, specifically RosettaNet and Electronic Business XML (ebXML).
Chapter 3, “Foundations of Distributed Message-Level Security,” explains the hard choices architects have to make when defining security for distributed applications, and describes the encryption technologies used in this environment (shared key and public key encryption), as well as the basics of digital signatures, XML digital signatures, public key infrastructure (PKI), and transport layer security.
Chapter 4, “Safeguarding the Identity and Integrity of XML Messages,” focuses on security information specific to XML messaging. It starts with a detailed analysis of XML signatures, followed by an overview of strategies for the efficient use of XML signatures. Continuing the analysis of XML message security, chapter 5 discusses XML encryption, providing an extensive description of the technology and its elements, and concluding with an evaluation of strategies to be used when applying XML encryption.
Chapter 6, “Portable Identity, Authentication, and Authorization,” moves on to the issue of Web services security in multi-organizational environments. The chapter is dedicated to the description and analysis of Security Assertions Markup Language (SAML), with many useful examples of all components of the standard, and a brief discussion on Liberty Alliance frameworks, dealing with identity federation.
Chapter 7 addresses a problem that most Web services developers and architects have encountered: how to secure SOAP messages. The chapter is dedicated to WS-Security standards. It starts with a comparison of transport and message security, provides information about secure tokens (for example, Extensible Rights Markup Language (XrML) tokens), and illustrates the use of certificates. Message confidentiality support in WS-Security is addressed next, with a thorough explanation, and a few examples.
Chapter 8, “Communicating Security Policy,” analyzes the WS-Policy specification describing the components of the statement and use of tokens. The chapter concludes the discussion of the three components of WS-Security (SAML, SOAP security, and WS-Policy). The final chapter of narrative in the book is chapter 9, “Trust, Access Control, and Rights for Web Services.” It puts finishing touches on the description of the WS family of specifications, touching on specifications describing trust, interoperability, integration, and authorization. A few relevant standards are introduced in this chapter: XML key management and Extensible Access Control Markup Language (XACML) are two of them.
The last chapter, chapter 10, illustrates the process of building a secure Web service using BEA WebLogic Workshop. It uses this practical “assignment” to review the concepts explained earlier in the book, and stress their practical uses.
Although the book requires some familiarity with the XML family of standards, it will be useful for both beginners and experienced practitioners in the Web services area. For an attentive reader, the WS-Security family of specifications, as well as adjacent standards specifications, will truly be demystified.
