Sun Java System Application Server Enterprise Edition 8 2004Q4 XML and Web Services Security Guide |
What is WSS?WSS defines the binding of XML digital signatures, XML encryption, and username/password tokens to secure SOAP messages. WSS in the Application Server defines how to use WSS to secure invocations of Web services, including Web services deployed on our Application Server.
The Web Services Security (WSS) specification is developed at OASIS. The WSS specification defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication. WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies.
The WSS specification provides an extensible mechanism for associating security tokens with SOAP messages. The WSS specification itself does not define the format of the various types of security token. Instead, a series of security token profile documents have either been published or are in the process of being published. Each of these profile documents defines the use of a particular type of security token (e.g., X.509) to secure SOAP message using digital signatures or encryption.
Username token verification specifies a process for sending Username tokens along with the message. The receiver can validate the identity of the sender by validating the digital signature sent by the sender. A digital signature internally refers to a security token (for example, Username token or an X.509 Certificate token) to indicate the key used for signing. Sending these tokens with a message binds the identity of the tokens (and any other claims occurring in the security token) to the message. For more information about these security tokens, go to the URLs listed below:
- Username Token Profile, based on OASIS WSS Username Token Profile 1.0, which can be read at the following URL:
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0.pdf- X.509 Certificate Token Profile, based on OASIS WSS X.509 Certificate Token Profile 1.0, which can be read at the following URL:
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0.pdfSupport for message layer security is integrated into the Application Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Application Server. To enable message layer security, follow the steps outlined in Configuring The Application Server for Web Services Security.
This section contains the following topics:
Types of Message Level Security Tokens
The following types of message-level security tokens are available in this release of the Application Server:
The Application Server uses Username Tokens to deliver a user name and password and to authenticate the peer in the Web service invocation. Username tokens are typically used in lieu of digital signatures. Digital signatures are used to bind an authentication identity to the message content. Username tokens are used to bind an authentication identity to a message sender.
The Application Server uses XML Digital Signatures to authenticate the source of message content. Digital signatures is an authentication mechanism. Clients use digital signatures to establish their caller identity, analogous to the way basic authentication or SSL client certificate authentication have been used to do the same thing when transport layer security is being used. Digital signatures are used to enable the receiver to validate that the message has not be altered since it was signed, and as such can confirm that the signer defined the content (although they might not have sent it).
The XML Signature specification can be viewed at the following URL:
http://www.w3.org/TR/xmldsig-core/XML digital signatures are designed for use in XML transactions. It is a standard that was jointly developed by W3C and the IETF (RFC 2807, RFC 3275). The standard defines a schema for capturing the result of a digital signature operation applied to arbitrary data and its processing. XML signatures add authentication, data integrity, and support for non-repudiation to the signed data.
The purpose of encryption is to modify the data such that it can only be understood by its intended audience. This is accomplished by substituting an encrypted element for the original content. When predicated on public key cryptography, encryption can be used to establish the identity of the parties that can read a message.
The XML Encryption W3C standard can be viewed at the following URL:
http://www.w3.org/TR/xmlenc-core/XML Encryption specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data.
Implementation-Specific Terminology
The Application Server conforms to the WSS Soap Message Security specification, which can be viewed from the URL http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf. This specification is used in the Application Server’s underlying implementation of Web Services Security.
Some of the terminology used in this document is described in the WSS specification, and is summarized here. The concepts are also discussed in Configuring The Application Server for Web Services Security.
In this release of the Sun Java Systems Application Server, the Application Server invokes authentication providers to process SOAP message layer security. A client-side provider encrypts and authenticates (by signature or username/password) the outgoing messages such that they can only be viewed by their intended recipients, and such that the recipient can determine the caller or invocation identity to apply in the Web service invocation. A server-side provider would decrypt content and validate passwords or signatures in inbound messages to establish the authentication identity associated with the Web services invocation. Services act like clients and clients act like services when processing response messages.
Client-side providers are invoked on the client side of a SOAP message layer interaction. When entering the information for the client-side provider, enter the Java implementation class of the provider. Client authentication providers must implement the com.sun.xml.wss.provider.ClientSecurityAuthModule interface.
Server-side providers are invoked on the server side of a SOAP message layer interaction. When entering the information for the server-side provider, enter the Java implementation class of the provider. Server-side providers must implement the com.sun.xml.wss.provider.ServerSecurityAuthModule interface.
The request policy defines the authentication policy requirements associated with request processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
A request policy includes an optional authenticate source and an authenticate recipient. When neither of these properties is specified, authentication of the recipient is not required. When before-content or after-content is specified, content authentication need not occur. If content authentication is also required, its relationship to recipient authentication is defined by the value of this property.
- Authenticate Source – Defines a requirement for message-layer sender authentication (e.g. username password) or content authentication (e.g. digital signature). Valid choices include:
- Authenticate Recipient – Define a requirement for message-layer authentication of the receiver of the request message to its sender (e.g. by XML encryption). Valid choices include:
To achieve message security, the request and response policies must be enabled on both the server and client. These policies are configure based on the type of authentication policies to be used. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.
Developers can define application-specific protection policy (as opposed to overriding the default) by defining a message security binding in the Sun-specific application deployment descriptors.
Read Actions of Security Policy Configurations for more information on how these configurations operate.
The response policy defines the authentication policy requirements associated with response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
A response policy includes an optional authenticate source and an authenticate recipient. When neither of these properties is specified, authentication of the recipient is not required. When before-content or after-content is specified, content authentication need not occur. If content authentication is also required, its relationship to recipient authentication is defined by the value of this property.
- Authenticate Source –Defines a requirement for message-layer sender authentication (e.g. username password) or content authentication (e.g. digital signature). Valid choices include:
- Authenticate Recipient – Defines a requirement for message-layer authentication of the receiver of the response message to its sender (e.g. by XML encryption). Valid choices include:
To achieve message security, the request and response policies must be enabled on both the server and client. These policies are configure based on the type of authentication policies to be used. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.
Developers can define application-specific protection policy (as opposed to overriding the default) by defining a message security binding in the Sun-specific application deployment descriptors.
Read Actions of Security Policy Configurations** for more information on how these configurations operate.
Actions of Security Policy Configurations
Table # shows possible security policy configurations and the resulting set and order of security operations performed by the WSS Provider auth modules for that configuration.
Rules for Performing Multiple Sign/Encrypt Operations
The WSS Provider modules can perform multiple sign/encrypt operations when a corresponding flag is set on the policies. The rules for mapping are as shown in Table #.