Security Web Services

Web services are modular software applications described, published, identified and usable through the Web useful to support interoperability in a distributed environment. The consortium OASIS (Organization of Structured Information Standards) and W3C (World Wide Web Consortium) are primarily responsible for the architecture and standardization in order to improve interoperability between different implementations.

The basic idea is to make available a defined set of technologies based on industry standards that are able to facilitate interoperability between heterogeneous systems. Objective is to make the most of the resources distributed without concern for the type of applications, programming languages or operating systems involved. Web services are based on an interface described in a format processable by a computer, the WSDL (Web Services Description Language), SOAP message exchange (Simple Object Access Protocol) with systems that invoke them and typically are based on a HTTP communication .

Among the great advantages of Web services there is the possibility to decouple the interface exposed by the actual implementation allowing an evolution of the side logic consumer or provider that does not impact on the other side, both by facilitating the establishment of complex systems and oriented architectures the services they reuse and integration of systems and applications previously realized.

The approach underlying the architecture design of Web services has been successful and, consequently, the latter have become popular and have become common. All this has led to the request for adequate security of use.

Establish a level of security appropriate to the context of adoption is critical to protect resources and allow its use. It ‘important to recognize that security is the way to go, and not the final destination. It is necessary to analyze the infrastructure and applications to identify and monitor potential threats and assess the potential risks, assessing the impact on systems developed, or under development, and study appropriate countermeasures. Just using the most diverse technologies is not an effective way to establish safety whether there is an adequate culture time to help people understand vulnerabilities in systems and infrastructure.

We summarize below the main problems and possible countermeasures:
critical Solution
Message integrity Use a signature can avoid the risk of processing modified posts along the way.
Confidentiality is necessary to prevent offenders are able to obtain access to information contained in the messages.
Man in the middle Through mutual authentication mechanisms can prevent an attacker gets between sender and receiver by altering the messages.
Spoofing Through advanced authentication techniques can prevent an attacker to assume the identity of an entity trusted.
Replay Attacks Using time stamps and numbering requests, you can prevent attacks based on resending processing requests go to clog the services.

So there are different kinds of threats to cope with the aim of creating a secure environment. The following table summarizes the main requirements of such an environment.
requirements Description
The authentication process that allows you to uniquely identify the user of an application or service.
Non-repudiation Auditing and logging are the key aspects of the non-repudiation of policies that ensure that the user can not deny that they have started and / or completed operations or transactions.
The approval process that governs access by authenticated users resources and operations.
Confidentiality The process of ensuring that data remains private and can not be accessed by unauthorized third parties.
The integrity of the process that ensures that the data is protected from accidental or deliberate modification.
Integrity and confidentiality End-to-end integrity and confidentiality must be guaranteed even in the presence of intermediaries.
Availability Keeps the system usable for legitimate users, such as being taken out of service by crashing or attacks designed to undermine the accessibility (such as DOS attacks).

In a SOA, security reflected on practices that include various measures, such as the coordination between people, processes and technologies, integration of different standards at different levels (generic safety standards, standards for XML security standards security in Web services), integration of data and roles, trade-offs between experience and business prospects.

To ensure a high level of safety for the services necessary to identify the objectives, which implies the identification of security requirements, analyze the spectrum of possible threats and based on the objectives to give the right level of priority to the vulnerability, apply principles, patterns , proven practices and security measures apply to the entire application life cycle.

So far possible attacks and the main requirements for establishing a secure environment. We can have a set of solutions that ensure security at various levels. A first approach to security can be based on point-to-point security technologies such as Transport Layer Security (SSL / TLS), but this may not be sufficient for security contexts of the End-to-End type. In fact, unlike the point-to-point communications, a message may pass through several intermediaries before arriving at your destination and be delivered to different users, probably between security domains with different rules, so the more classic of transport layer security technologies they went adding technology level message. As a result they have developed a number of standards intended to ensure security to a higher level, that application.

The idea is to equip a Web services message level security. The natural solution would be to provide the SOAP message extension can allow security management to the Web services stack implementations. It has been questioned whether the adoption of such a mechanism should go or not to impact on the WSDL, which by definition should remain an interface language, and how this should impact on the possible extension frameworks that provide the implementation of the Web services stack . We need standards that facilitate and support interoperability and that they are independent of operating systems, application infrastructure and programming languages.

From these discussions arose a number of solutions, including all WS-Security, SOAP extension that allows you to establish standards at the level message security enabling you to exploit the granularity of XML, and WS-SecurityPolicy, extension of the WSDL that through a series of policy allows describing in WSDL what security mechanisms are implemented in the exchanged messages, with a richness of expression as to have a considerable impact on the frameworks that implement Web services, for example CXF. Among the results, to often require the use of additional libraries to implement each power stated policies.
Organization of the guide and main tools used

In the first part of the guide will introduce the Web services at the base of the described examples. Following the top-down approach, it will provide the WSDL, the plans for its implementation and a simple example client, with whom the organization will set the basis for all subsequent projects shown. Below we will carry out the tests invocation of remote service and you will make sniffing the traffic with Wireshark, noting the scope of the security issues related to Web services. They then will compare the two main solutions to transport-level and message level.

The second part will present a safety study at the transport layer, will migrate over HTTPS employing TLS and seeing how to generate self-signed certificates, which you create in your own without guarantee agencies. Specifically, we will provide the information to put into operation and use OpenSSL and to take advantage of the tools of the JDK for the creation and management of certificates and related records.

In the third part will deepen security at message level, the WS-Security standard for the extension of the SOAP and WS-SecurityPolicies messages for the extension of the WSDL, pointing to the presence of other standards.

Finally in the fourth chapter we will see how to set up a security infrastructure that eventually integrating into the process the third agencies for issuing certificates. The guide is intended to security for Web services, Web services RESTful to apply the solutions in the transport layer, while at the application level, there are no structural solutions such as those described in the third chapter.

They will provide notes about questions regarding Web services, but it is recommended to address the arguments after you become familiar with the topic. The following resources provide an introduction to the subject:

Guide to Web Services
Java Web Service: The Top-Down Approach to JBoss
WSDL styles and encodings

In order to provide practical examples will use an Application Server, JBoss AS 6, based on an Eclipse IDE. In the examples shown will be using an IDE version Juno JEE (and Luna JEE version for remote work), but in general it is sufficient to any version of the Eclipse IDE JEE with JBossAS Tools installed. Alternatively, you can avoid using JBossAS Tools and perform the manual deployment of project files, manually launching the JBoss server.

They will use both the native stack Java JAX-WS CXF stack with an extension that Spring, describing the procedures for integrating Spring in JBoss. The platform used is the JVM 6 with its JDK 6. While useful, you will avoid references to tools for build automation and management software such as Ant and Maven, so you focus on the topics and present examples that do not require too many additional configurations.

The introduced concepts are general, so applicable to other Application Server, stack and / or IDE, except keep in mind the limits of the specific combinations and configurations. Will be shown examples of creating certificates, keys, and more generally what is necessary for the realization of keystores required, for which you will use tools provided by the JDK, as well as presenting signs of specific tools such as OpenSSL. Finally, we will use Wireshark to sniff the packets transmitted over the network.

Web Security Solution