Table of Contents
Chapter 1. SOA requires new approaches to security
1.1. SOA lowers long-standing barriers
1.2. Lowering of barriers forces us to rethink security
1.3. Functional aspects of security: With and without SOA
1.3.4. Data integrity and nonrepudiation
1.4. Nonfunctional aspects of security
1.5. New security approaches for SOA
Chapter 2. Getting started with web services
2.1. Setting up tools and environment
2.3.1. SOAP message exchange model
2.3.2. Anatomy of a SOAP message
2.4.1. Describing a service with WSDL
2.5. Web services in action with Apache Axis
2.6. Choices in service design
2.6.1. Wrap existing interfaces or design from scratch?
2.6.3. Start with WSDL or generate it?
Chapter 3. Extending SOAP for security
3.1. Finding the right approach for security in SOAP
3.1.1. Lessons from web authentication schemes
3.2. Extending SOAP with headers
3.3. WS-Security: The standard extension for security
3.4. Processing SOAP extensions using handlers
3.4.2. Outline of the solution
3.4.3. Implementing a server-side JAX-RPC handler
3.5. Processing SOAP extensions using intermediaries
3.6.1. What should go into the headers?
II. Building blocks of SOA security
Chapter 4. Claiming and verifying identity with passwords
4.1. Authentication with username and password
4.1.1. Example: Username and password in WS-Security
4.1.2. Implementing username/password scheme: client-side
4.1.3. JAAS: A generic framework for authentication
4.1.4. Implementing username/password scheme: server-side validation
4.2. Using password digest for authentication
4.2.1. How password digest authentication works
4.2.2. Password digest authentication in action
4.2.3. Implementing password digests: client-side
4.2.4. Implementing password digests: server-side validation
4.3. Is password authentication the right solution for you?
4.3.1. Why is the digest scheme secure?
Chapter 5. Secure authentication with Kerberos
5.1. Authentication requirements in SOA
5.2.1. Basic ideas behind Kerberos
5.2.2. Authentication sequence
5.3. Implementing Kerberos with JAAS and GSS APIs
5.4. Using Kerberos with WS-Security
5.4.1. Running the Kerberos example
5.4.2. Adding a Kerberos ticket to a WS-Security header
5.4.3. Using a Kerberos ticket for authentication
Chapter 6. Protecting confidentiality of messages using encryption
6.1. Encryption in action: an example
6.3. Programming with digital certificates
6.3.1. Creating digital certificates
6.3.2. Point to point encryption with digital certificates (SSL/TLS)
6.4.1. Example: Sending user credentials with selective encryption
Chapter 7. Using digital signatures
7.1. The basics of XML signatures
7.2.1. Example: Signing order creation request
7.3. Practical issues with signatures
7.3.1. Three rules of signatures
Chapter 8. Implementing security as a service
8.2. Analyzing possible uses of a security service
8.2.1. Use case 1: Destination endpoint invokes security service out-of-band
8.2.2. Use case 2: Source endpoint invokes security service out-of-band
8.2.3. Use case 3: Both endpoints invoke security service out-of-band
8.2.4. Use case 4: Security service as an explicit intermediary
8.2.5. Use case 5: Security service as an implicit intermediary
8.3. Conveying the findings of a security service: SAML
8.3.2. AuthenticationStatement: Asserting authentication results
8.3.3. AttributeStatement: Asserting user attributes
8.3.4. AuthorizationDecisionStatement: Asserting authorization decisions
8.4. Example implementation using OpenSAML
8.4.1. Client-side implementation
8.5. Standards for security service interfaces
Chapter 9. Codifying security policies
9.1. Introducing declarative security
9.1.1. Policy consolidation for planning and consistent enforcement
9.2. Interoperability challenges in SOA security
9.3. Web services policy framework
9.3.3. Standards for fetching policy: WS-MetadataExchange and WS-PolicyAttachment
9.4.1. Security assertions for endpoints
9.4.2. Security assertions for messages
Chapter 10. Designing SOA security for a real-world enterprise
10.1. Meeting the demands of enterprise IT environments
10.2. Securing diverse services
10.2.1. Services developed from scratch
10.3. Choosing a deployment architecture
10.3.1. For securing services in the intranet
10.4. Making the solution industrial-strength
10.5. Vulnerability management
10.5.1. Common vulnerabilities
Appendix A. Limitations of Apache Axis
Appendix B. WS-SecureConversation
Appendix C. Attaching and securing binary data in SOAP
C.1 SOAP with Attachments (SwA)
Appendix D. Securing SAML assertions
D.1 Detecting forgery and tampering
D.2 Defending against replay attacks
D.2.1 Strategy 1: Reduce validity period
D.2.2 Strategy 2: Restrict the audience for the assertion
Appendix E. Application-Oriented Networking (AON)