You are previewing Oracle Web Services Manager.
O'Reilly logo
Oracle Web Services Manager

Book Description

Securing your Web Services

  • Secure your web services using Oracle WSM

  • Authenticate, Authorize, Encrypt, and Decrypt messages

  • Create Custom Policy to address any new Security implementation

  • Deal with the issue of propagating identities across your web applications and web services

  • Detailed examples for various security use cases with step-by-step configurations

In Detail

Web services (WS) provide a simple, standardized way to connect applications over the Internet, however they require management of security and other run-time operations to work effectively. Oracle Web Services Manager is a software solution for managing the operations of web services and the interactions between these services.

This book explains the business reasons why web services security is required and gives an architectural overview of WS Security for an enterprise. It then provides details about the Oracle Web Service Manager product and how it can be leveraged to address the key security issues of Confidentiality, Integrity, Authentication, and Authorization. Whilst addressing these key issues, the book describes them fully with examples. It ends with a couple of unique features: one is the various options available for a successful deployment and the other is an explanation, in depth, of how the security components work.

Table of Contents

  1. Oracle Web Services Manager
  2. Credits
  3. About the Author
  4. About the Reviewers
  5. Preface
    1. What This Book Covers
    2. What You Need for This Book
    3. Who is This Book for
    4. Conventions
    5. Reader Feedback
    6. Customer Support
      1. Downloading the Example Code for the Book
      2. Errata
      3. Questions
  6. 1. Introduction to Web Services Security
    1. The Need for Web Services Security
    2. Security Challenges in a Web Services Environment
    3. The Need for Identity Propagation from Calling Application to Web Services
    4. Why HTTPS Based Security Is Not Enough
    5. Components of Web Services Security
      1. Authentication
      2. Authorization
      3. Confidentiality
      4. Integrity
    6. Return on Investment
    7. Summary
  7. 2. Web Services Security—Architectural Overview
    1. Overview of XML Security Standards
      1. Closer Look at SOAP Messages
      2. Authentication
      3. Confidentiality
      4. Integrity
    2. Overview of WS-Security Standards
    3. Implementing WS-*Security in Applications
    4. Centralized Management of WS-*Security
      1. The Need for Centralizing WS-*Security Operations
      2. Benefits of Centralizing Web Services Security Operations
    5. Introduction to Oracle Web Services Manager
    6. Summary
  8. 3. Architecture Overview of Oracle WSM
    1. Oracle WSM Architecture
    2. Oracle WSM Policy Manager
      1. Overview of Oracle WSM Policy Manager
        1. Authentication
        2. Authorization
        3. Confidentiality
        4. Integrity and Non-Repudiation
        5. Policy Steps and Pipeline Templates
          1. Option 1: Individual Policy Definition for Each Web Service
          2. Option 2: Pipeline Templates
      2. Relationship Between Policy and Service
    3. Oracle WSM Gateway
      1. Proxy, or Exposing Internal Service to External Business Partner, or Outside of Intranet
      2. Transport Protocol Translation
      3. Content Routing
    4. Summary
  9. 4. Authentication and Authorization of Web Services Using Oracle WSM
    1. Oracle WSM: Authentication and Authorization
      1. Oracle WSM: File Authenticate and Authorize
      2. Oracle WSM: Active Directory Authenticate and Authorize
    2. Oracle WSM: Policy Template
    3. Oracle WSM: Sample Application AD Authentication
      1. Web Service Security Policy
        1. Registering The Web Service with Oracle WSM
        2. Creating The Security Policy
        3. Commit The Policy
      2. Oracle WSM Test Page as Client Application
      3. Microsoft .NET Client Application
    4. Summary
  10. 5. Encrypting and Decrypting Messages in Oracle WSM
    1. Overview of Encryption and Decryption
      1. Symmetric Cryptography
      2. Asymmetric Cryptography
      3. Oracle WSM and Encryption
    2. Encryption and Decryption with Oracle WSM
      1. Encryption Algorithm
      2. Key Transport Algorithm
      3. Internal Working of the XML Encrypt Policy Step
    3. Oracle WSM Sample Application Overview
    4. Oracle WSM Encryption and Decryption Policy
        1. Creating the Security Policy
      1. Oracle WSM Test Page as Client Application
      2. Microsoft .NET Client Application
    5. Summary
  11. 6. Digitally Signing and Verifying Messages in Web Services
    1. Overview of Digital Signatures
    2. Digital Signatures in Web Services
    3. Signature Generation Using Oracle WSM
      1. Sign Message Policy Step
      2. Internals of Sign Message Policy Step
        1. Reference Element
        2. SignedInfo Element
        3. Signature
    4. Signature Generation and Verification Example
      1. Registering Web Service with Oracle WSM
      2. Signature Verification by Oracle WSM
      3. Signature Generation by Oracle WSM
      4. Oracle WSM Test Page as Client Application
      5. Microsoft .NET Client Application
    5. Summary
  12. 7. Oracle WSM Custom Policy Step
    1. Overview of Oracle WSM Policy Steps
    2. Implementing a Custom Policy Step
      1. Extending the AbstractStep Class
      2. Deploying the Custom Policy Step
      3. Step Template XML File Creation
    3. Custom Policy Step Example: Restrict Access Based on IP Address to the Specified Method
      1. Extending the AbstractStep
      2. Testing the Custom Policy Step
    4. Summary
  13. 8. Deployment Architecture
    1. Oracle WSM Components
      1. Addressing Oracle WSM Scalability
      2. Addressing High Availability
        1. Installation
        2. Disabling Unnecessary Components
        3. Mapping Component ID on Host1 and Host2
      3. Configuring Oracle WSM Monitor on Host3
    2. Summary
  14. 9. Oracle WSM Runtime-Monitoring
    1. Oracle WSM Operational Management
    2. Oracle WSM Overall Statistics
    3. Oracle WSM Security Statistics
    4. Oracle WSM Service Statistics
    5. Oracle WSM Custom Views
    6. Oracle WSM Alarms
    7. Summary
  15. 10. XML Encryption
    1. XML Encryption and Web Services
    2. XML Encryption Schema
      1. EncryptedData
        1. EncryptionMethodType
        2. EncryptionMethodType Schema
        3. CipherData Element
      2. EncryptedKey Element
      3. KeyInfo Element
    3. Summary
  16. 11. XML Signature
    1. XML Signature and Web Services
    2. XML Signature Schema
      1. Signature Element
      2. SignedInfo Element
        1. Reference Element
        2. Transforms Element
      3. KeyInfo Element
    3. Summary
  17. 12. Sign and Encrypt
    1. Overview of Sign and Encrypt
    2. Signing and Encrypting Message
    3. Sign and Encrypt by Example
      1. Example Overview
      2. Time Web Service: Decrypt and Verify Signature
      3. Beauty of Oracle WSM Gateway: Sign And Encrypt by Oracle WSM
        1. Service Provider:
        2. Service Consumer:
        3. Sign And Encrypt Policy
    4. Summary
  18. 13. Enterprise Security — Web Services and SSO
    1. Web Services Security Components
    2. Authentication, Authorization and Credential Stores
    3. Integrating with Web Access Management Solution
      1. Security Token Service: Bridging the GAP between WAM and Oracle WSM
        1. Integrated Security Architecture
    4. Summary