search for books and compare prices
Tables of Contents for Professional Web Services Security
Chapter/Section Title
Page #
Page Count
Introduction
1
1
What's Covered in this Book?
1
1
Who is this Book For?
2
1
What You Need To Use This Book
2
1
Conventions
2
1
Customer Support
3
4
How to Download the Sample Code for the Book
3
1
Errata
3
1
E-Mail Support
3
1
p2p.wrox.com
4
1
Why this System Offers the Best Support
4
3
Web Services
7
20
A Recap of Web Services
7
3
Hosted and Subscribable
8
1
Web Service Integration
8
1
The Revolution of Web Programming
9
1
Associated Web Service Standards
9
1
XML
9
1
RPC, XML-RPC, and SOAP
9
1
WSDL
10
1
UDDI
10
1
The Need for Web Services
10
7
Dependability and Integrity for Internet Commerce
11
1
Benefits of Transactions and Transactional Components
11
1
Online Contracts and Verifiable Transactions
12
1
Availability of Services
12
2
Standardization of Web/Consumer Interaction
14
1
Standards Acceptance for Internet Commerce
15
1
Code Stability
15
1
The Driving Committees
15
1
W3C
16
1
IETF
16
1
OASIS-Open.org
16
1
WebServices.org
17
1
Web Services Architect
17
1
Governmental and International Influence
17
1
Business Motivating Factors for Web Services
17
5
Reliability of Data
18
1
Customer Access
18
1
Local Commerce vs. International Commerce
19
1
Streamlining Transaction Completion
19
1
Motivating Factors Particular to a Business
19
1
Web Service Requestors
20
1
Motivating Factors Internal to Business
21
1
Shared Code Base for Developers
21
1
Eliminate Duplicate Development
21
1
Simplified Installation Issues
21
1
External Access to Internal Data
22
1
The Development, Support, and Future of Web Services
22
1
Web Service Standards
22
1
Message Standards
22
1
Business Areas for Web Services
22
1
Industry Leader Involvement
23
1
IBM
23
1
SUN
23
1
BEA
23
1
Microsoft
23
1
Future of Web Services
24
1
Cost/Benefit Analysis
24
1
Global Internet Commerce
24
1
Summary
24
3
Security
27
34
Introduction to Security
28
6
What Security Represents
28
1
Integrity
28
1
Assurance
29
1
Verification
29
1
Confidentiality
29
1
Availability
29
1
Why We Need Security
30
1
Safeguarding Assets
30
1
Representation of Ourselves to Customers
30
1
Avoiding Liability
30
1
Implementation Considerations
31
1
Type and Amount of Data
31
1
Type of Customers
31
1
Transaction Requirements
31
1
Response Times
32
1
Resource Exposure
32
1
Factors of Security
32
1
Identification
32
1
Authentication
33
1
Authorization
33
1
Integrity
33
1
Confidentiality
34
1
Non-Repudiation
34
1
Web Services Security Implications
34
4
Web Security Issues
34
1
Hackers and Transaction Interception
35
1
Certificates, Transport Layer Security, and Encryption
35
1
Web Services-Specific Security Exploits
36
1
XML Transactional and Identification Concerns
36
1
Web Service Security Applications
37
1
Authentication/Authorization
37
1
Transport Layer
37
1
Application Layer
37
1
Security Terms and Concepts
38
21
DMZ - Demilitarized Zone
38
1
Transport Layer Security
39
1
IPSec
39
1
Firewalls
40
1
Security by Specific IP
40
1
Authentication Layer Security
41
1
Programmatic Authentication
41
1
Localized Authentication
41
1
Authentication Services
42
1
Certificates and Authentication
42
2
Application Layer Security
44
1
Public Key Cryptography
44
1
SOAP Security Extensions
45
1
Digital Security
46
1
Digital Signature Provider Standards
46
1
XML Security/XML Extensions
47
1
XML Signature Tags
47
1
XML Extensions
48
1
XML Digital Signature Standards
48
1
XKMS
48
1
XACML, SAML, and XTAML
49
1
XTASS
49
1
WS-Security
49
1
Security Standards Examples
50
1
Transport Layer Security
50
1
Firewall and IPSec Diagram
50
1
Authentication Layer Security
51
1
Authentication Service
51
1
Certificates
52
1
Application Layer Security
53
1
SOAP Extensions
53
1
XML Digital Signature
54
1
Authentication Integration Example
55
1
Guardian Interaction with School Web Server
55
1
Interaction Between all Parties with Regard to the Document
56
1
Transport Layer
56
1
Authentication Layer
56
3
Summary
59
2
Authentication Mechanisms
61
46
Authentication Mechanisms Overview
62
6
Desired Features List
62
1
Support Multiple Versions of Browser
62
1
Level of Integration with Operating System for User Tracking
63
1
Firewalls and Proxy Server Integration
63
1
Level of Encryption Required
63
1
Level of Client Interaction Needed
63
1
Level of Programmatic Authentication within the Web Service
63
2
Situations Overview
65
1
Corporate Internal
65
1
Remote Access
66
1
Internet User
67
1
Basic Authentication
68
2
Architecture
69
1
Internal User
69
1
External User
69
1
Pros
69
1
Cons
69
1
Basic over SSL
70
2
Internal User Architecture
71
1
External User Architecture
71
1
Pros & Cons for Mechanism
71
1
Pros
72
1
Cons
72
1
The Digest Mechanism
72
3
Internal User Architecture
73
1
External User Architecture
74
1
Pros & Cons for Mechanism
74
1
Pros
74
1
Cons
74
1
NTLM Authentication Mechanism
75
1
Internal User Architecture
76
1
Pros & Cons for Mechanism
76
1
Pros
76
1
Cons
76
1
Client Certificates Mechanism
76
3
Internal User Architecture
77
1
Client without Certificate
78
1
Client with Certificate
78
1
External User Architecture
78
1
Client without Certificate
78
1
Client with Certificate
79
1
Pros
79
1
Cons
79
1
Situational Case Example
79
6
Scenario Description
80
1
Architecture
80
1
User Request Flow Diagrams
81
1
Internal Management Users
81
1
Remote Marketing Travelers
81
1
External Marketing Companies
82
1
Final Analysis and Decision
82
1
Overall Decision
82
1
Group by Group Decision
83
1
Certificate Acquisition Diagram
84
1
After Certificate Acquisition
84
1
Project Liberty
85
1
Security for Web Services
85
1
What is a Network Identity?
86
1
What is a Federated Network Identity?
86
1
What is Liberty Alliance?
86
17
Services Provided by the Liberty Specification
87
1
Opt-in Account Linking
87
1
Simplified Sign-On for Linked Account
87
1
Global Logout
87
1
Authentication Context
87
1
Liberty Alliance Client Feature
88
1
Specifications
88
1
Architecture
89
1
Web Redirection
90
1
Web Services
90
1
Metadata and Schemas
90
1
Liberty Protocols
90
1
Single Sign-on/Federation Protocol
91
1
Name Registration
91
1
Federation Termination Notification (Defederation)
92
1
Single Logout
92
1
Identity Federation Termination (Defederation) Protocol
92
1
Global Logout Protocol
93
1
Profiles and Bindings
93
2
Liberty Browser Artifact Single Sign-on Protocol Profile
95
1
Liberty Browser POST Single Sign-on Protocol Profile
95
1
Liberty WML POST Profile
95
1
Liberty Enabled Client and Proxy (LECP) Single Sign-on Protocol Profile
95
1
Authentication Context Mechanisms
95
1
Implementation Guidelines
96
1
Identity Provider
96
1
Service Provider
96
1
User Agent
97
1
Security Requirements
97
1
Liberty Toolkits
97
1
Resources
98
1
Building Liberty Applications
99
1
Getting Started
99
3
Creating Liberty Services
102
1
Other Federated Identity Initiatives
103
1
Future Directions
103
1
Summary
103
4
PKI
107
32
What is PKI?
108
16
Cryptography
109
1
Cryptalgorithms
109
1
Secret Ciphers
110
2
Key-based Encryption Algorithms
112
1
Symmetric Key Algorithms
112
1
Asymmetric Key Algorithms
113
2
Hybrid Encryption
115
1
Drawbacks
115
1
Cryptanalysis
116
1
Identity
117
1
Digital Certificates
118
2
Applications of Digital Certificates in Web Services
120
1
Digital Signatures
121
2
Digital Signature Considerations
123
1
Quick Review
123
1
Web Services and PKI
124
4
Client Certificates
124
1
PKI-Integrated Applications
124
1
Internal vs. Delegated PKI
124
1
Alternative Security Options
125
1
Application-Level Encryption
125
1
XML Security
126
1
SOAP Security Extensions
126
1
XPKI
126
1
SAML
126
1
The Problems
126
2
Deploying a PKI
128
6
Full Internal PKI
128
1
Small Enterprise
128
1
Large Enterprise
129
1
Policies
129
1
Delegated PKI
130
1
Small Enterprise
130
1
Large Enterprise
130
1
Policies
130
1
Technical View
131
1
Lack of Understanding
131
1
Confidence Structure for Key Management
131
1
Vendor Product Partitioning
131
1
RSA
132
1
Entrust
132
1
Baltimore
132
1
Verisign
132
1
Enterprise View
132
1
Comprehensive Security
132
1
Security for Prospective Customers
133
1
Expense Component
133
1
What We Really Need
133
1
What's Really Available
133
1
How much it All Costs
133
1
PKI and Web Services: The Big Picture
134
3
The Client
135
1
Client Applications
135
1
Web Browsers
135
1
Web Servers
135
1
PKI Support
136
1
Summary
137
2
SSL
139
42
What is SSL?
140
5
Origins
140
1
What Does SSL Provide?
141
1
What Doesn't SSL Provide?
142
1
Client and Server Certificates
142
1
Front-to-Back (or End-to-End) Security
143
2
Why Do We Need SSL?
145
2
HTTP
145
1
Data is Open to Inspection
145
1
Inability to Establish Participant Identities
145
1
Server Destination
146
1
Client Identity via Passwords
146
1
No Guarantee of Data Integrity
147
1
The SSL Solution
147
1
How Does SSL Work?
147
8
Overview
147
1
The SSL Handshake Protocol
148
3
The SSL Record Protocol
151
1
Keeping Data Secure and Sound
152
1
Session Security
152
1
Symmetric Key Algorithms
152
1
Data Encryption Standard (DES)
152
1
Triple DES
153
1
RC4
153
1
IDEA
153
1
Asymmetric Key Algorithms for Authentication
153
1
RSA
153
1
Message Integrity
153
1
Secure Message Hashing
154
1
Hashing Algorithms
154
1
Operational Review
155
20
SSL -- Two Views
155
1
The Server
155
1
Example - Creating a Server Certificate Request
156
6
Forwarding the Request to the CA
162
3
Installation of the Certificate
165
3
The Client
168
1
Example - Installing a Client Certificate
168
7
SSL -- Limits, Caveats, and Successors
175
1
Security
175
1
Negatives
175
1
Positives
175
1
The Reality
175
1
Caveats
176
1
Successors
176
1
How can Web Services take Advantage of SSL?
176
3
SSL is Architecturally External
177
1
Identity Validation
177
1
Communication Security and Integrity
178
1
The Cost of Security and Integrity
178
1
Summary
179
2
XML Signature
181
42
Why XML Signature?
182
3
Multiple Signatures
185
1
Persistent Signatures
185
1
Web Services and Signatures
185
2
XML
185
1
Remote Referecing
186
1
Multiple Parties
187
1
XML Signature Overview
187
6
Basic XML Signature Structure
188
1
Example: Detached Signature
189
1
Example: Enveloping Signature
190
2
Example: Enveloped Signature
192
1
Example: Detached Signature and External Reference
193
1
XML Signature Processing Steps
193
4
XML Signature Generation
194
1
Calculate the Digest of Each Resource
195
1
Create the <SignedInfo> Element
195
1
Generate the Signature Value
195
1
Create the <Signature> Element
196
1
XML Signature Validation
196
1
Reference Validation
196
1
Signature Validation
196
1
Processing Instructions and Comments
197
1
XML Processing Constraints
197
2
Basic XML Processing
198
1
DOM and SAX Processing
199
1
XML Namespace Processing
199
1
Character Encoding
199
1
XML Signature Syntax
199
12
Core Syntax
200
1
The <Signature> Element
200
1
The <SignatureValue> Element
200
1
The <SignedInfo> Element
201
1
The <CanonicalizationMethod> Element
201
1
The <SignatureMethod> Element
202
1
The <Reference> Element
202
2
The Reference Processing Model
204
1
The <Transforms> Element
205
1
The <Transform> Element
206
1
The <DigestMethod> Element
206
1
The <DigestValue> Element
206
1
The <KeyInfo> Element
206
1
The <Object> Element
207
1
Optional Signature Syntax
208
1
The <Manifest> Element
208
1
The <SignatureProperties> Element
209
1
Processing Instructions and Comments
210
1
Algorithms
211
4
Message Digest
211
1
SHA-1
211
1
MD5
212
1
Message Authentication Codes
212
1
Signature Algorithms
213
1
Canonicalization Algorithms
213
1
Transform Algorithms
214
1
User-Specified Algorithms
214
1
Defining a User-Specified Algorithm
215
1
Security Considerations
215
2
Transform Considerations
215
1
Only What is Signed is Secure
215
1
Only What is Seen Should be Signed
216
1
See What is Signed
216
1
Security Model Considerations
216
1
Other Considerations
217
1
Implementations
217
3
XML Signature Web Services
217
1
XML Signature Toolkits
217
1
Example: Create XML Signature Using .NET Framework
218
2
Example: Verify XML Signature Using .NET Framework
220
1
Limitations
220
1
Summary
221
2
XML Encryption
223
38
Why XML Encryption?
224
3
Encrypting Parts of a Document
224
1
Multiple Encryptions
224
2
Persistent Storage
226
1
Web Services and XML Encryption
226
1
XML Representation
226
1
Multiple Parties
226
1
XML Encryption Overview
227
1
Basic XML Encryption Structure
227
1
EncryptedData
227
1
EncryptedKey
228
1
XML Encryption Examples
228
10
Encrypting the Entire XML Element
229
2
Encrypting the XML Element's Content
231
1
Encrypting XML Character Content
231
1
Encrypting the XML Document
232
1
Encrypting Arbitrary Content
232
1
Option 1: Not using XML Encryption
233
1
Option 2: Encrypt the Element Containing the Reference
233
1
Option 3: Use <CipherReference> of XML Encryption
234
1
Add it as a Child of the Image Element
234
1
Refer from the Image Element
235
1
Encrypting EncryptedData Element
236
1
Adding Key Information
236
1
Encrypting the Encryption Key
237
1
XML Encryption Grammar
238
4
The EncryptedData Element
239
1
The EncryptedKey Element
240
1
The CipherReference Element
241
1
The EncryptionProperties Element
241
1
Carrying Key Information
242
4
Using ds:KeyInfo to Carry Key information
243
1
Via ds:KeyName Element
243
1
Via ds:RetrievalMethod Element
243
1
Via Additional Elements of ds:KeyInfo
244
1
Using EncryptedKey to Carry Key Information
245
1
Which Option to Use?
245
1
Encryption Guidelines for XML Documents
246
2
Serialization Guidelines for XML Fragments
246
1
Encryption Guidelines for Arbitrary Data
247
1
Algorithms
248
4
Block Encryption
248
1
Key Transport
248
1
Key Agreement
249
1
Symmetric Key Wrap
249
1
Message Digest
249
1
Message Authentication
250
1
Canonicalization
250
1
Inclusive Canonicalization
250
1
Exclusive Canonicalization
251
1
Encoding
251
1
Relationship with the XML Signature
252
4
Decryption Transform
252
1
Example use of the dcrpt:Except Element
252
2
Modes of Operation
254
1
Restrictions and Limitations of the XML Mode of Operation
254
2
Security Considerations
256
1
Plain Text Guessing Attacks
256
1
Sign What You See
257
1
Symmetric Key
257
1
Initialization Vector
257
1
Denial of Service
257
1
Limitations
257
1
Future Directions
258
1
Implementations
258
1
XML Encryption Toolkits
259
1
Summary
259
2
XKMS
261
42
Key Management Issues
262
3
PKI Complexities
262
1
Example: MyTravels.com
262
3
XKMS Overview
265
3
XKMS Services
265
1
Example using XKMS Services
266
2
XKMS Benefits
268
1
XKMS Namespaces
268
1
XKISS and XKRSS
268
1
XML Key Information Specification
268
12
XKISS Services
269
1
Locate Service
270
1
Locate Service Example
270
1
Locate Request
271
1
Locate Response
271
1
Validate Service
272
1
Validate Service Example
273
1
Validate Request
273
1
Validate Response
274
1
Ensuring the Validity of XKISS Service Response
275
1
XKISS Message Specification
275
1
Locate Request Message
276
1
Locate Response Message
276
1
Validate Request Message
276
1
Validate Response Message
277
1
Respond Element
277
1
Result Element
278
1
KeyBinding Element
279
1
XML Key Registration Specification
280
8
Key Registration
280
1
Example: Client-Generated Key Pair
281
1
Registration Request
281
1
Registration Response
282
1
Service-Generated Key Pair
283
1
Key Reissue
284
1
Key Revocation
284
1
Revoke Request
284
1
Key Recovery
285
1
Request Authentication
285
1
XKRSS Message Specification
286
1
Prototype Element
286
1
AuthInfo Element
286
1
AuthUserInfo Element
286
1
AuthServerInfo Element
287
1
Register Request Message
287
1
Reissue, Revoke, and Recover Request Messages
288
1
Register Response Message
288
1
Reissue, Revoke, and Recover Response Messages
288
1
SOAP Binding
288
1
Bulk Operations
289
3
Bulk Registrations Uses
289
1
X-BULK Specification
289
1
X-BULK Request
290
1
X-BULK Response
291
1
Security Considerations
292
1
Replay Attacks
292
1
Denial of Service
293
1
Recovery Policy
293
1
Limited Use Shared Data
293
1
Future of XKMS
293
1
Implementations
294
6
Client Side Technologies and Options
294
1
Server Side Options
295
1
XKMS Implementations
296
1
Verisign Implementation
297
1
Verisign Client Toolkit
297
1
Register a Client Generated Keypair
298
1
Locate a Key using KeyName
299
1
Summary
300
3
SAML
303
52
What is SAML
303
5
Who's Behind SAML
304
1
Why SAML is needed
304
1
The SAML Specification
305
1
Assertions
305
1
Protocols
305
1
Bindings
306
1
Profiles
307
1
Benefits of SAML
307
1
The SAML Specification Documents
308
28
Use Cases
308
1
Requirements
309
1
Single Sign-on Use Case
309
1
Pull Scenario
309
1
Push Scenario
310
1
Third-Party Scenario
311
1
Authorization Use Case
312
1
Back-Office Transaction Use Case
313
1
The Back-Office Transaction Scenario
313
1
The Third-Party Security Service Scenario
314
1
Intermediary Add Service Scenario
315
1
User Session Use Case
316
1
Session Management
316
1
Requirements
316
1
Single Sign-on Use Case
317
1
Time-out Use Case
317
1
Logout Use Case
318
1
Session Management Messages
319
1
The Core Specification
320
1
Assertions
320
3
The <Assertion> Element
323
1
The <Conditions> Element
324
1
The <Subject> Element
325
1
The <AuthenticationStatement> Element
326
1
The <AttributeStatement> Element
327
1
The <AuthorizationDecisionStatement> Element
328
1
Protocol Request and Response
328
1
Request
328
1
RequestAbstractType
329
1
The <Request> Element
330
1
Response
330
2
The <Response> Element
332
1
XML Digital Signature
333
1
Bindings
334
1
Profiles
335
1
Push or Browser Post Profile
336
1
Pull or Browser Artifact Profile
336
1
Key Standards and Specifications Related to SAML
336
2
Products and Toolkits
338
10
Netegrity's JSAML Toolkit
341
1
JSAML's API
341
1
Assertion Classes
341
1
Protocol Classes
342
1
Digital Signature Classes
342
1
The Content Portal Example using JSAML
342
1
Redirect Web Service
343
2
Syndicated Web Service
345
3
Liberty Alliance, Microsoft Passport, and SAML
348
4
Liberty Alliance Overview
349
1
Liberty Alliance Objectives
349
1
Functional Requirements
350
1
Identity Federation
350
1
Pseudonyms
350
1
Global Logout
350
1
Authentication
350
1
Liberty Alliance Specification Documents
351
1
Overview of the Specification Documents
351
1
Liberty Architecture Overview
351
1
Liberty Bindings and Profiles Specification
351
1
Liberty Protocols and Schemas Specification
351
1
Liberty Authentication Context Specification
352
1
Liberty Architecture Implementation Guidelines
352
1
Recent Developments
352
1
The Future of SAML
352
1
Summary
353
2
XACML
355
36
Who's behind XACML?
355
1
The Need for XACML
356
1
Access Control Lists
357
2
AclEntry Interface
357
1
ACL Interface
358
1
Group Interface
359
1
SAML and Roles Database
359
3
The XACML Specification Documents
362
27
Application Use Cases
363
1
Use Case 1: Online Access Control
363
1
Use Case 2: Policy Provisioning
364
1
Use Case 3: SAML Authorization Decision Request
365
1
Use Case 4: Attribute-Dependent Access Control on XML Resources
365
2
Use Case 5: Requester-Dependent Access Control on XML Resources
367
1
Use Case 6: Provisional Access Control on XML Resources
368
1
Use Case 7: Provision User for Third-Party Service
369
1
Committee Working Draft
370
1
Requirements
370
1
XACML Context
371
1
Policy Language Model
372
1
Policy
372
1
PolicySet
373
1
Target
373
1
Rule
373
1
Obligations
373
1
Effect
373
1
Policy Language Model Syntax
374
3
PolicySet Element
377
1
Target Element
378
1
Policy Element
379
1
Rule Element
380
1
Obligation Element
380
1
XACML Access Control XML Example
381
1
Tax Record
381
1
XACML Request
382
2
Request Element
384
1
Attribute Element
384
1
XACML Response
384
1
Response Element
385
1
Decision Flow
386
1
PDP
386
1
Policy and PolicySet
387
1
PEP
388
1
The Future of XACML
389
1
Summary
389
2
WS-Security
391
28
What is WS-Security?
392
1
An Umbrella of Security for Web Services
392
24
Design Principles
392
1
Decentralization
392
2
Modularity
394
1
Transport Neutrality
395
2
Application Domain Neutrality
397
1
Different Aspects of Security
397
1
Brief Explanation of the WS-Security Schema
397
2
The licenseLocation Element
399
1
The credentials Element
399
1
The Integrity and Confidentiality Elements
399
1
The Security Element
400
2
Message Integrity
402
1
XML Signatures
403
1
The Signature Element
404
1
Transforms
405
1
Algorithm for Digital Signature
405
1
The Keylnfo Element
405
1
Preventing Replay Attacks using the <Timestamp> Element
405
2
Security Token Propagation
407
1
Username Token
407
1
Binary Security Token
408
1
Security Token Reference Element
409
1
Message Confidentiality
409
3
Credentials Transfer
412
2
Putting it All Together
414
2
Advantages of WS Security
416
1
Limitations
417
1
Summary
417
2
P3P
419
34
Understanding Privacy
420
5
Privacy Concerns
420
1
Web Site Surveillance Techniques
421
1
Browser and Server Logs
422
1
Cookies
422
1
Web Bugs
423
1
Spyware
424
1
Privacy Solutions
424
1
Privacy Policies
424
1
Privacy Certification Programs
424
1
Privacy Laws and Organizations
425
1
Software Tools
425
1
History of P3P
425
1
Understanding P3P
426
8
How does P3P Work?
427
2
Understanding the Specification
429
1
Example of a P3P Policy file
429
3
Compact Policies
432
2
P3P Tools
434
6
Internet Explorer 6.0
435
2
AT&T Privacy Bird
437
2
IBM P3P Policy Editor and Parser
439
1
Implementing P3P on Your Site
440
8
Overview
441
1
Planning and Development
442
1
What does a Policy Cover?
442
1
Create a Natural Language Privacy Policy for your Company
442
1
How many Policies for your Site?
443
1
Where will you Place the Policy Reference File?
443
1
Will you Provide Compact Policies?
443
1
Will you have Policies Specific to Cookies?
443
1
How will you Handle Policy Updates?
444
1
Create the P3P Policy for your Site
444
1
Create a Policy Reference File
444
1
Deployment
444
1
Place the Policy Files
445
1
Configure the Web Server for P3P Compact Policies
445
1
Apache
445
1
Microsoft Internet Information Server (IIS)
446
1
Test the Site
447
1
Tracking and Maintaining P3P policies
447
1
P3P and Web Services
448
1
Challenges to P3P Deployment
449
1
Lack of Interest in Protecting Users' Privacy
449
1
Lack of Enforcement
449
1
EU Recommendation
450
1
Expensive to Maintain and Implement
450
1
The Future of P3P
450
1
Summary
451
2
J2EE Web Services: Case Study
453
46
Case Study Overview
453
2
Configuration
454
1
Installation Instructions
454
1
Verifying the Installation
455
1
Version 0.1
455
20
Application Tour
456
1
Web Services
457
1
getAccounts Web Service
457
1
getAccountBalance Web Service
458
1
transferFunds Web service
459
1
Java Code
460
1
AccountBalancesPanel.java
460
2
BankGateway.java
462
2
Client.java
464
4
GetInfoActionListener.java
468
1
TransferFundsListener.java
469
2
TransferFundsPanel.java
471
1
Bank.java
472
2
deploy.wsdd
474
1
Run the Application
474
1
Version 0.2
475
12
XML Signatures
475
1
Creating Keys and a Certificate
475
1
Revising the Application
476
1
getAccounts with an XML Signature
476
2
Java Code
478
1
AddSignature.java
479
1
SecurityUtils.java
480
1
SignedSOAPEnvelope.java
481
3
ValidateSignature.java
484
2
serverdeploy.wsdd
486
1
client-config.wsdd
486
1
Run the Application
487
1
Version 0.3
487
9
XML Encryption
488
1
Verisign Trust Services Integration Kit
488
1
Revising the Application
488
1
getAccountBalance Web Service with XML Signature and XML Encryption
488
2
Java Code
490
1
Encrypt.java
490
2
Decrypt.java
492
1
SecurityUtils.java
493
2
Run the Application
495
1
Summary
496
3
.NET Web Services: Case Study
499
54
Web Service Framework Architecture
499
1
Web Services Security Architecture
500
1
Case Study: WROX Bank
501
1
Authentication and Credentials
501
1
Message Confidentiality
502
1
Message Integrity
502
1
The OpenService Web Service
502
16
The Web Service in a Web Browser
503
4
The SOAP Messages for the Web Service
507
1
Creating a Client Application
508
3
Generating a Proxy for the Web Service
511
1
Client Application
511
5
Pitfalls of our Web Service
516
1
Eavesdropping
517
1
Data Modification
517
1
Identity Spoofing (IP Address Spoofing)
517
1
Man-in-the-Middle Attack
517
1
Sniffer Attack
517
1
Creating and Configuring a Web Service for Basic HTTP Authentication in IIS
518
5
IIS Authentication
518
1
IP/DNS Security
518
1
Windows Security
518
1
Creating the Basic HTTP Authentication Service
519
1
Creating the Basic HTTP Authentication Client
519
3
Pitfalls of Basic HTTP Authentication
522
1
Creating and Configuring a Web Service for SOAP Headers
523
4
Creating the Client for the SOAPHeaderService
526
1
Cryptography and Web Services
527
13
Cryptographic Algorithms in .NET
528
1
Stream Oriented Design
528
1
Symmetric Algorithms
528
1
Asymmetric Algorithms
529
1
Hashing Algorithms
529
1
Using Cryptography in Message Encryption
529
1
Creating the SOAP Encryption Web Service
530
1
Extending the Credentials Object
530
2
Passing the Public Key to the Client Application
532
1
Creating the GetAccountBalance() Method
533
3
Creating the TransferMoney() Method
536
1
Creating the SOAP Encryption Client Code
537
1
Coding of Client Side Encryption
537
1
The EncryptHeaderInformation() Method
538
2
Pitfalls to be Wary Of and Precautions to be Taken
540
1
Digitally Signing SOAP Messages
540
1
A WSDK Service
541
9
Configuration of the Certificate Store on the Server
542
1
Setting up the Web Service
542
3
Setting up the WSDK Client
545
1
Adding a Proxy Object to the WSDK Web Service
545
1
The GetInfo_WSDKService() Method
546
2
The GetCertificate() Method
548
1
The GetToken() Method
548
1
The TransferMoney_WSDKCertificate() method
549
1
Advantages and Pitfalls of the WSDKService
550
1
Summary
550
3
Appendix A: Toolkits
553
4
Resources
553
1
Standards Chart
554
3
Appendix B: Tomcat/Axis Installation
557
10
Tomcat Windows Installer
558
3
NT Service
558
1
JSP Development Shell Extensions
559
1
Start Menu Group
559
1
Tomcat Documentation
559
1
Example Web Applications
559
1
Source Code
559
1
Setting Environment Variables
559
1
%Catalina_Home%
560
1
Windows 9x-and ME-Specific Issues
560
1
Installing Tomcat On Windows Using the ZIP File
561
1
Installing Tomcat On Linux
561
2
Viewing the Default Installation
563
1
Installing Axis
563
4
Appendix C: Tomcat SSL Configuration
567
4
Generating Keystores and Certificates
567
1
Tomcat Configuration
568
3
Deployment of Secure Web Service
568
3
Index
571