best practices for web saml

8/3/2019 Best Practices for Web Saml

1/9

Best Practices for web services, Part 12:

Web services security, Part 2

WS-Security in real-world solutions

Holt Adams, Senior Consulting IT Architect, IBM jStart

Summary: Conducting business in today's world usually requires that a company use

the Internet for both business-to-customer and business-to-business interactions.Information exchanged in business transactions is often mission-critical, market-valued,

or confidential; thus, while traversing the Internet, it must be protected from accidental

access or deliberate unauthorized control and use. Understanding the impact of howsecurity options in a Service-Oriented Architecture (SOA) leverage web services can

enable you to make the best selection of security technology to address your requirements

for authentications, data integrity, and confidentiality. Continuing from thepreviousarticle on web services security, Part 2 of this article outlines WS-Security capabilities

leveraged in real-world customer solutions with IBM WebSphere Application Server.

Tags for this article: architecture, on_demand_business,security,soa_(service-

oriented_architecture), ws-security

Tag this!Update My dW interests (Log in| What's this?) Skip to help for Update My dW interests

Date: 30 Mar 2004

Level: IntroductoryAlso available in: Japanese

Activity: 19894 viewsComments: 0 (View | Add comment - Sign in)

Average rating (13 votes)Rate this article

Show articles and other content related to my search: saml

Show descriptions | Hide descriptions

Introduction

The vendors that participate in the development of the WS-Security specification in the

OASIS standards body have been actively testing interoperability scenarios similar to the

one outlined in Part 1 of this article (see resources). The OASIS working group's primaryfocus is on the usability and compliance of the specification by vendors, not on a
http://www.ibm.com/developerworks/webservices/library/ws-best12/#author1%23author1http://www.ibm.com/developerworks/library/ws-best11/http://www.ibm.com/developerworks/library/ws-best11/http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=architecture%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=on_demand_business%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=security%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=security%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=soa_%2528service-oriented_architecture%2529%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=soa_%2528service-oriented_architecture%2529%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=soa_%2528service-oriented_architecture%2529%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=ws-security%27)http://www.ibm.com/developerworks/webservices/library/ws-best12/#%23https://www.ibm.com/developerworks/dwwi/DWAuthRouter?m=loginpage&d=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fwebservices%2Flibrary%2Fws-best12%2Fhttps://www.ibm.com/developerworks/dwwi/DWAuthRouter?m=loginpage&d=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fwebservices%2Flibrary%2Fws-best12%2Fhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#overlayhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#dwmyinterestaddhelphttp://www.ibm.com/developerworks/jp/webservices/library/ws-best12/http://www.ibm.com/developerworks/webservices/library/ws-best12/#icommentshttp://www.ibm.com/developerworks/webservices/library/ws-best12/http://www.ibm.com/developerworks/webservices/library/ws-best12/#iratingshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#showhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#hidehttp://www.ibm.com/developerworks/webservices/library/ws-best12/#resources%23resourceshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#togglehttp://www.ibm.com/developerworks/library/ws-best11/http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=architecture%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=on_demand_business%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=security%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=soa_%2528service-oriented_architecture%2529%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=soa_%2528service-oriented_architecture%2529%27)http://launchtagwindow%28%27/developerworks/mydeveloperworks/bookmarks/html?tag=ws-security%27)http://www.ibm.com/developerworks/webservices/library/ws-best12/#%23https://www.ibm.com/developerworks/dwwi/DWAuthRouter?m=loginpage&d=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fwebservices%2Flibrary%2Fws-best12%2Fhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#overlayhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#dwmyinterestaddhelphttp://www.ibm.com/developerworks/jp/webservices/library/ws-best12/http://www.ibm.com/developerworks/webservices/library/ws-best12/#icommentshttp://www.ibm.com/developerworks/webservices/library/ws-best12/http://www.ibm.com/developerworks/webservices/library/ws-best12/#iratingshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#showhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#hidehttp://www.ibm.com/developerworks/webservices/library/ws-best12/#resources%23resourceshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#author1%23author1


2/9

comprehensive interoperability suite or benchmark. The success of the scenario in Part 1

can be expected when both the Consuming Application and the Service Provider are on

the same vendor's platform, for example, IBM WebSphere Application Server. Workis still needed with interoperability between different vendors' platforms, however,

progress has been made via the informal OASIS testing.

Upon authentication of a party in a web services transaction, a company's security policy

often needs to be enforced. With a user's identity known as a result of a successfulauthentication, the application server such as WebSphere Application Server can perform

authorization to ensure proper access control of the application's resources, for example,

web services. Considering the scenario in Part 1, the identity provided in the X.509certificates (distinguished name), can be used within the WebSphere Application Server

J2EE security model for authorization, after the parties have been authenticated through

the successful validation of a digital signature.

Back to top

WebSphere Application Server support of WS-Security

WebSphere Application Server V5.02 supports XML Digital Signature and XML

Encryption as outlined by the WS-Security specification draft that was available when

V5.02 shipped at the end of 2003. The WS-Security specification is in its final approvalprocess within OASIS. WebSphere Application Server will adopt any changes to the

approved specification. The WebSphere Appplication Server's WS-Security function

allows the enablement of capabilities during deployment of the web servicesimplementations through a declarative model.

In order to utilize WS-Security with WebSphere Application Server, you do not actually

have to enable the WebSphere Application Server's J2EE Security. The trade-off you

must consider is that without WebSphere Application Server Security, you will not beable to set the security context in the thread of execution or leverage WebSphere

Application Server for coarse or fine-grain authorization to web services or their

operations.

WebSphere Application Server is able to support the scenario outlined in Part 1. Oneimportant aspect of the scenario is that for the Service Provider supporting a large

number of consumers, few administrative tasks are required. The only administrative

prerequisite for using WS-Security between itself and Consuming Applications is for theService Provider's local keystore to have the root certificate of the Certification Authority

that issues the Consuming Application's certificates.

For complete information on WebSphere Application Server support of WS-Security, see

the links provided in the Resourcesection of this article. The following provides anoverview of WebSphere Application Server's support of WS-Security as applicable to

customer scenarios covered in this section.
http://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pconhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#resources%23resourceshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#resources%23resourceshttp://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pconhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#resources%23resources


3/9

WebSphere Application Server supports XML Digital Signature as follows:

Web services request messages might have the following elements signed by

WebSphere Application Server:

o Security Token (UsernameToken, XML based token) in the SOAP header

o TimeStamp in the SOAP headero Body in the SOAP envelope

Web services response messages might have the following elements signed by


o TimeStamp in the SOAP header

o Body in the SOAP envelope

WebSphere Application Server supports XML Encryption as follows:

Web services request messages might have the following elements encrypted by


o Security Token (UsernameToken only) in the SOAP headero Body in the SOAP envelope

Web services response messages might have the following elements encrypted by

WebSphere Application Server:o Body in the SOAP envelope

WebSphere Application Server V5.02 and V5.1 currently support the various algorithms

for WS-Security that are listed below:

Digest Method

SHA-1

Signature Methods

PKCS1 (RSA-SHA1)

DSA

Key Encryption Methods

RSA Version 1.5

CMS Triple DES Key Wrap

Encryption Methods

Triple DES

Back to top
http://www.w3.org/2000/09/xmldsig#sha1http://www.w3.org/2000/09/xmldsig#rsa-sha1http://www.w3.org/2000/09/xmldsig#dsa-sha1http://www.w3.org/2001/04/xmlenc#rsa-1_5http://www.w3.org/2001/04/xmlenc#kw-tripledeshttp://www.w3.org/2001/04/xmlenc#tripledes-cbchttp://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pconhttp://www.w3.org/2000/09/xmldsig#sha1http://www.w3.org/2000/09/xmldsig#rsa-sha1http://www.w3.org/2000/09/xmldsig#dsa-sha1http://www.w3.org/2001/04/xmlenc#rsa-1_5http://www.w3.org/2001/04/xmlenc#kw-tripledeshttp://www.w3.org/2001/04/xmlenc#tripledes-cbchttp://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pcon


4/9

Customer WS-Security scenarios

Although approval for WS-Security specification from OASIS is not available at this

time, customers can still utilize the capabilities in proofs of concept or pilot solutions togain hands-on experience and to access its potential impact on their solutions'

performance. Below are three real-world customer uses of WS-Security.

Business-to-business using a business identity credential

Two partners had business requirements to better integrate their applications to improve

overall cycle times for customer and employee facing processes. The security modelbetween the two partners relied on a shared business identity credential for the

Consuming Application party and X.509 certificates for both parties. At the time, the

corporate security policies of the businesses stated that all confidential informationexchanged between the parties be protected using HTTPS between the boundary nodes at

each enterprise. For each web services request, the body of the SOAP message contains

the web services operation and associated message parts that are digitally signed usingX.509 certificates. One of the signed message parts includes the Consuming Application's

business identity and secret password. The Service Provider uses the credentials to

perform authorization in controlling access to the back-end business functions.

The Service Provider used this method, as authorization logic resides in the back-endlegacy systems. This solution provides only coarse-grained authorization by the

WebSphere Application Server front-end that exposes the party's business functions as

web services.

Each party imported the other's X.509 certificate into their keystores, so that if a request

or response is not signed with a known certificate in their keystore, the message isrejected. Once the Consuming Application is authenticated and the message's integrity is

validated, the request is passed to the web services implementation.

Figure 1 - B2B with business identity credential


5/9

Enterprise application integration using an individual's credential

A customer had several lines of businesses that required access to legacy systems. Thebusiness requirement was to provide internal applications on disparate systems access to

enterprise databases on legacy systems. A secondary goal was to position the customer toprovide its external business partners access to the same legacy systems. Each user that

requires access to the data has existing individual credentials -- his/her user ID andpassword -- within the corporate LDAP registry. A user is authenticated by the

Consuming Applications and their identity is passed in the web services request using the

WS-Security UsernameToken security token. The security token and the body of theSOAP message are digitally signed using X.509 certificates associated with the

Consuming Application. Upon the validation of the signatures, the Consuming

Application is authenticated.

At the Service Provider, WebSphere Application Server authentication is set up to use the

identity passed in the UsernameToken as an asserted identity that the ConsumingApplication has authenticated. WebSphere Application Server uses the identity in the

security context for the thread of execution when processing the request. This enablesWebSphere Application Server to provide fine-grain authorization of the web services

resources.

This solution utilizes a WebSphere Application Server WS-Security TimeStamp element

that is digitally signed to protect against replay attacks.


6/9

Since this solution is expected to support a large number of Consuming Applications,

minimizing the administrator's tasks for the Service Provider was a requirement. To

address this need, WS-Security was set up to provide the Consuming Application's X.509certificate as a binary security token within web services requests.

The business requirement is for the solution to be secure with no dependency on thenetwork transport. The architecture of the solution includes the ability for them to

leverage both XML Digital Signature and XML Encryption to address authentication,data integrity, and data confidentiality. However, depending on the overhead of XML

encryption, HTTPS can provide data confidentially. The trade-off for this choice is that

the security is only provided between network nodes (typically over the Internet) and isnot applicable for other network transports.

Figure 2 - EAI with individual's credential

Federated identity

A group of business partners had a requirement to enable their employees to accessapplications from their separate enterprises. Their goal was to improve their processes

and to allow each partner to provide their employees with a consolidated set of services

that leverage business functions of other partners. As an example, the business partnerstypically integrate supplier information for brokers to use during their sales cycle.


7/9

Although the business partners may have customized Web pages, the brokers must leave

this integrated Web environment and "jump" to specific supplier Web pages to retrieve

required information. Jumping between the Web sites of a business partner and suppliercreates a number of challenges including security issues, difficulty integrating content,

and confusion remembering a multitude of usernames, passwords, and Web site

addresses for various providers.

The primary partner who has the advantage in the relationships with its partners usesSecurity Assertion Markup Language (SAML) for controlling access to its web resources

(HTML, Servlets, JSPs). As a result, one of their requirements is to leverage SAML

assertions in controlling access to their web services.

The solution for these partners included a Federated Identity model where the ConsumingApplication authenticates its local users and makes web services requests asserting an

employee's identity. The Service Provider relies on the Consuming Application to

authenticate the user as in the previous customer scenario, but in this case, each partner

has a separate security domain. Thus when processing a web services request, theprovider needs to map the asserted identity to credentials that are valid for its security

domain. This model requires a trust relationship between any two partners. Mutualauthentication, using SSL and X.509 certificates, realizes the trust.

One of the primary goals of the partners was to not expose user credentials of their

security domain. To achieve this goal, the partners agree on a common pseudonym

mapped to each of their user identities. A person's Social Security Number is a goodexample of a pseudonym; however, for legal concerns it is not the best choice.

WS-Security can digitally sign the SAML assertions passed as an XML-based security

token in the SOAP header and to sign the body of the SOAP message. This provides theability to authenticate a Consumer Application and to ensure message integrity.Encrypting the network connection using HTTPS resulted in message confidentially for

this solution.

With the user identity provided in a SAML assertion as a pseudonym, the Service

Provider maps the pseudonym to a local user identity that is valid within its securitydomain. Since the business function contains authorization logic, the user identity is

passed as a HTTP header parameter within the Service Provider's environment when

invoking the web services implementations. As a result, WebSphere Application Serveronly provides coarse-grain authorization based on the digital signature's success.


8/9

Figure 3 - Federated identity with SAML

This solution was implemented prior to WebSphere Application Server's support of WS-

Security and uses custom WS-Security components. The solution signs the entire SOAP

message and provides a security context token in the response to the ConsumingApplication for use on follow-up requests. The security context token optimizes

performance similar to how traditional Web solutions use HTTP cookies for passing

security context.

WebSphere Application Server V5.02 and V 5.1 support passing XML-based token's

(such as SAML). However, one must provide a custom JAAS Login Module to

incorporate the user's identity from the token into WebSphere Application Server'ssecurity context in order to utilize WebSphere Application Server for authorization. Users

should consider WS-Security when application-to-application security is required, and

not just security over the Internet between network nodes at the enterprise boundary.

Back to top

Summary

Since WS-Security will have an impact on the overall response time and the number of

simultaneous requests that your solution can support, it is important that your decision to
http://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pconhttp://www.ibm.com/developerworks/webservices/library/ws-best12/#ibm-pcon%23ibm-pcon


9/9

use WS-Security is justified. In many cases, HTTPS with the transportKeepAlive enabled

will provide you with a significantly better-performing solution than what is possible

when using XML Digital Signature and XML encryption. Yet the extent to which HTTPSprovides you a better solution is really dependent on the overall processing times of your

business logic executed by your web services implementations. If your services are doing

simple inquiries into a well-indexed database that take less than 100 milliseconds, thenyou will see a big difference between the two choices. If your business logic is more

complex or distributed on remote systems and the processing takes a few seconds, the

choices might not result in much of a difference.

You should exercise caution when comparing the impact of WS-Security and a transport-dependent-based alternative such as HTTPS. The results of tests that only use web

services request messages that are simple string and where the service itself does nothing

more than echo the message as a response, may lead you to meaningless conclusions thatsolutions leveraging WS-Security will always result in significantly less performance

than solutions leveraging HTTPS security mechanisms. For example, sending a realistic

4K byte request message with a moderately complex XML structure verses sending a 4Kbyte test message with a simple string increases the SOAP engine's processing time by30%, thus reducing the overall differences between the two security mechanisms. When

your business logic executes and has to process real business information, something

other than the 25 millisecond echo, and performs real work, you are able to genuinelyunderstand the true impact that WS-Security will have on your solution.

When business requirements justify message integrity between application end points for

mission-critical data, market-valued data, or for confidential data, digital signature

capability provided by WS-Security is the good choice and is readily available onvendors' applications servers such as Websphere Application Server.

Both XML Digital Signature and XML Encryption will have an impact on your solution.

If performance is your primary concern over all other requirements, then HTTPS is your

best choice. A common practice today is to use XML Digital Signatures for applicationauthentication and data integrity and to rely on HTTPS to provide confidentiality.

Whether the impact of using both XML Digital Signature and XML Encryption is trivial

or significant can only be determined by enabling this capability within your applicationenvironment using real business data and business logic, and then measuring the

differences.

best practices for web saml

Documents