Feb 27, 2008

Security and SOA

In an service oriented architecture the deployments of webservices and bpels have become more and more complex. This creates additional challenges for securing applications or message exchange.
You can use an old, mature standard to address these challenges:
transport-level security. With SSL it is very easy to secure the data . But this solution gets a little bit difficult, if you want to implement message routers, which should look into the payload. You have to distribute certificates to all routers. This is not feasible for large installations involving many department or many contractors...

Is this all? No! There are some new options like the WS-* specifications...
Now you will say: "Ok, these WS-* things are very helpful. I like the WS-makeitfast and WS-generateitwithoutwork..."
You can find a diagram which shows all this WS-* specifications here (from www.innoq.com)
Yes there are many WS-* specifications and here the attempt to explain WS-Security. To achieve this goal we have to start with two other specifications:

1.) XML Encryption can encrypt the whole element (example from www.w3.org):
  <?xml version='1.0'?>
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number>
<Issuer>Example Bank</Issuer>
<Expiration>04/02</Expiration>
</CreditCard>
</PaymentInfo>

or just the content:
  <?xml version='1.0'?>
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>


2.) XML Signature can add a signing entity (example from www.w3.org):
<Signature Id="MyFirstSignature"  
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference
URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>


WS-Security is using XML Encryption to provide confidentiality and XML Signature to provide data integrity. The SOAP headers of WS-Security can be enhanced for authentication purposes with X.509 certificates, kerberos tickets, SAML or some others....

Oracle support WS-Security and there was a very nice article at Oracle magazine where Mike Lehmann explained how to use WS-Security with JDeveloper.

So with Oracle AS 10g and JDeveloper you can easily secure your SOA and the webservices with SSL or WS-Security....

No comments:

Post a Comment