4 Ensuring Web Services Security

Web services security is described in the Oracle Application Server Web Services Security Guide The Security Guide contains the following chapters:

• Chapter 1, "Introduction"

  This chapter introduces essential Web service security concepts, standards, and specifications. It is divided into the following sections:

  • Web Service Security Concepts

  • Web Services Security Support in OC4J

  • Tool Support for Web Services Security

• Chapter 2, "Configuring Web Services Security"

  This chapter describes the Web service security configuration elements that can be used to secure a Web service on the client and the server. It is divided into the following sections:

  • Keystore Elements

  • Signature and Encryption Key Elements

  • Nonce Configuration Elements

  • Security Elements for Inbound Messages

  • Security Elements for Outbound Messages

• Chapter 3, "Administering Web Services Security"

  This chapter describes administration tasks for Web services security. It is divided into the following sections:

  • Using Keystores

  • Integrating Security Tokens with Security Providers

  • Using a Username Token

  • Using an X.509 Token

  • Using a SAML Token

  • Configuring XML Encryption

  • Configuring XML Signature

  • Combining Tokens, Encryption. and Signature

• Chapter 4, "Building Secure Web Services"

  This chapter provides the generalized steps for assembling a secure Web service. Oracle Application Server Web Services provides the WebServicesAssembler tool which enables you to assemble the service top down (from a WSDL) or bottom up (from Java classes, EJBs, or database resources).

  • Assembling a Secure Web Service

  • Creating a Server-Side Security Configuration File

  • Creating a Client-Side Security Configuration File

  • Client JAR Files

  • Adding Transport-Level Security to a Web Service

  • Ant Tasks and WebServicesAssembler

  • Getting an Authenticated User Identity in a Web Service Application

  • Performing JAAS Provider Authorization on a Web Service

  • WS-Security and XML APIs

  • Development Decisions

• Chapter 5, "Secure Web Service Usage Scenarios"

  This chapter discusses common scenarios for using Web service security. It begins with the simplest use case, then proceeds through increasingly more complex use cases. The first section of the chapter discusses use cases with no security implications; these are then modified to add security features. It contains the following sections:

  • Non-Secured Web Services

  • HTTP-Based Security

  • WS-Security

  • XML Signature

  • XML Encryption

  • Gateways

  • Identity Management

  • Interoperability

• Chapter 6, "Troubleshooting"

  This chapter describes solutions to some of the errors you might encounter when working with OracleAS Web Services Security. The errors are divided into these categories.

  • General Errors

  • Keystore-Related Errors

  • Message Integrity Errors

  • Message Confidentiality Errors

  • Authentication Errors

• Appendix A, "OracleAS Web Services Security Schema"

  This appendix describes the contents of the OracleAS Web Services Security schema file, oracle-webservices-security-10_0.xsd.

• Appendix B, "Security Threats and Solutions"

  This appendix describes how the functionality in OracleAS Web Services can be used to address the threats to security that are present in today's Web environment.

Additional Information

For more information on:

• securing a Web service, see the Oracle Application Server Web Services Security Guide

• adding Web service management information, including security, to a Web service, see Chapter 3, "Managing Web Services".

• adding reliability information to a Web service, see Chapter 5, "Ensuring Web Service Reliability".

• adding auditing and logging information to a Web service, see Chapter 6, "Auditing and Tracing Messages".

• assembling a Web service top down, see "Assembling a Web Service from a WSDL" in the Oracle Application Server Web Services Developer's Guide.

• using Java classes to assemble a Web service, see "Assembling a Web Service with Java Classes" in the Oracle Application Server Web Services Developer's Guide.

• using EJBs to assemble a Web service, see "Assembling a Web Service with EJBs" in the Oracle Application Server Web Services Developer's Guide.

• using JMS topics and destinations to assemble a Web service, see "Assembling Web Services with JMS Destinations" in the Oracle Application Server Web Services Developer's Guide.

• using database resources, such as PL/SQL packages, SQL queries, DML statements, Oracle Streams AQ, or server-side Java classes, to assemble a Web service, see "Assembling Database Web Services" in the Oracle Application Server Web Services Developer's Guide.

• assembling a J2EE Web Service client, see "Assembling a J2EE Web Service Client" in the Oracle Application Server Web Services Developer's Guide.

• assembling a J2SE Web service client, see "Assembling a J2SE Web Service Client" in the Oracle Application Server Web Services Developer's Guide.

• using WebServicesAssembler commands to assemble Web service artifacts, see "Using WebServicesAssembler" in the Oracle Application Server Web Services Developer's Guide.

• the contents of the oracle-webservices.xml deployment descriptor which contains the Web services management configuration, see "Packaging and Deploying Web Services", in the Oracle Application Server Web Services Developer's Guide.

• the contents of the wsmgmt.xml file which contains the security configuration, see Appendix A, "Understanding the Web Services Management Schema".