Tuesday, March 16, 2010

Web Service Security: basic concepts

Message-level security: it enhances transport-level security (SSL) by allowing to specify which part of the message should be encrypted


Transport-level security: can be HTTP-Basic and SSL

Access control security: it doesn't encrypt the message, it simply checks that a given user is allowed to invoke a service



WS-Security is available for both JAX-RPC and JAX-WS.
A message can be signed, encrypted or both. It provides integrity, confidentiality and authentication.


These OASIS standards are supported:

WS-Security 1.0 and 1.1
Username Token Profile 1.0 and 1.1
X.509 Token Profile 1.0 and 1.1
SAML Token Profile 1.0 and 1.1

Other standards covered only for JAX-RPC: WS-Trust and WS-SecureConversation.
WS-Policy  and WS-SecurityPolicy.


For a list of pre-packaged WebLogic policy files, see http://download.oracle.com/docs/cd/E15523_01/apirefs.1111/e13952/taskhelp/webservices/ConfigureWSPolicyFile.html

and http://download.oracle.com/docs/cd/E12839_01/web.1111/e13713/message.htm#WSSOV310


You should create a default_wss Web Services Security configuration (domain tab)
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/webservices/webservicesecurity/CreateDefaultWSSConfig.html

 here they explain you what to enter in this page (Oracle is very good at sending you around to 20 different documents before you can get anything done)

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/webservices/webservicesecurity/CreateDigitalSignatureKeystore.html

basically:

class name = weblogic.wsee.security.bst.ServerBSTCredentialProvider
token type = x509
property IntegrityKeyAlias
property IntegrityKeyPassword
property IntegrityKeyStore
property IntegrityKeyStorePassword


this will generate this entry in config.xml

<webservice-security>
<name>default_wss</name>
<webservice-credential-provider>
<name>CredentialProvider-0</name>
<class-name>weblogic.wsee.security.bst.ServerBSTCredentialProvider</class-name>
<token-type>x509</token-type>
<configuration-property>
<name>IntegrityKeyStore</name>
<encrypt-value-required>false</encrypt-value-required>
<value>C:\beawli\wlserver_10.3\server\lib\acmeks.jks</value>
</configuration-property>
<configuration-property>
<name>IntegrityKeyStorePassword</name>
<encrypt-value-required>true</encrypt-value-required>
<encrypted-value-encrypted>{3DES}BJ5VpGM7nC0xjFy7L6sAsQ==</encrypted-value-encrypted>
</configuration-property>
<configuration-property>
<name>IntegrityKeyAlias</name>
<encrypt-value-required>false</encrypt-value-required>
<value>acme</value>
</configuration-property>
<configuration-property>
<name>IntegrityKeyPassword</name>
<encrypt-value-required>true</encrypt-value-required>
<encrypted-value-encrypted>{3DES}BJ5VpGM7nC0xjFy7L6sAsQ==</encrypted-value-encrypted>
</configuration-property>
</webservice-credential-provider>
</webservice-security>


Some built-in JWS policies are: Auth.xml , Sign.xml, Encode.xml
They can be specified together - a message can be subject to ANY of these 3.

No comments: