did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781861007650

Professional Web Services Security

by ; ; ; ; ; ;
  • ISBN13:

    9781861007650

  • ISBN10:

    1861007655

  • Format: Trade Paper
  • Copyright: 2002-12-17
  • Publisher: Springer-Verlag New York Inc
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $49.99

Table of Contents

Introduction 1(1)
What's Covered in this Book?
1(1)
Who is this Book For?
2(1)
What You Need To Use This Book
2(1)
Conventions
2(1)
Customer Support
3(4)
How to Download the Sample Code for the Book
3(1)
Errata
3(1)
E-Mail Support
3(1)
p2p.wrox.com
4(1)
Why this System Offers the Best Support
4(3)
Web Services
7(20)
A Recap of Web Services
7(3)
Hosted and Subscribable
8(1)
Web Service Integration
8(1)
The Revolution of Web Programming
9(1)
Associated Web Service Standards
9(1)
XML
9(1)
RPC, XML-RPC, and SOAP
9(1)
WSDL
10(1)
UDDI
10(1)
The Need for Web Services
10(7)
Dependability and Integrity for Internet Commerce
11(1)
Benefits of Transactions and Transactional Components
11(1)
Online Contracts and Verifiable Transactions
12(1)
Availability of Services
12(2)
Standardization of Web/Consumer Interaction
14(1)
Standards Acceptance for Internet Commerce
15(1)
Code Stability
15(1)
The Driving Committees
15(1)
W3C
16(1)
IETF
16(1)
OASIS-Open.org
16(1)
WebServices.org
17(1)
Web Services Architect
17(1)
Governmental and International Influence
17(1)
Business Motivating Factors for Web Services
17(5)
Reliability of Data
18(1)
Customer Access
18(1)
Local Commerce vs. International Commerce
19(1)
Streamlining Transaction Completion
19(1)
Motivating Factors Particular to a Business
19(1)
Web Service Requestors
20(1)
Motivating Factors Internal to Business
21(1)
Shared Code Base for Developers
21(1)
Eliminate Duplicate Development
21(1)
Simplified Installation Issues
21(1)
External Access to Internal Data
22(1)
The Development, Support, and Future of Web Services
22(1)
Web Service Standards
22(1)
Message Standards
22(1)
Business Areas for Web Services
22(1)
Industry Leader Involvement
23(1)
IBM
23(1)
SUN
23(1)
BEA
23(1)
Microsoft
23(1)
Future of Web Services
24(1)
Cost/Benefit Analysis
24(1)
Global Internet Commerce
24(1)
Summary
24(3)
Security
27(34)
Introduction to Security
28(6)
What Security Represents
28(1)
Integrity
28(1)
Assurance
29(1)
Verification
29(1)
Confidentiality
29(1)
Availability
29(1)
Why We Need Security
30(1)
Safeguarding Assets
30(1)
Representation of Ourselves to Customers
30(1)
Avoiding Liability
30(1)
Implementation Considerations
31(1)
Type and Amount of Data
31(1)
Type of Customers
31(1)
Transaction Requirements
31(1)
Response Times
32(1)
Resource Exposure
32(1)
Factors of Security
32(1)
Identification
32(1)
Authentication
33(1)
Authorization
33(1)
Integrity
33(1)
Confidentiality
34(1)
Non-Repudiation
34(1)
Web Services Security Implications
34(4)
Web Security Issues
34(1)
Hackers and Transaction Interception
35(1)
Certificates, Transport Layer Security, and Encryption
35(1)
Web Services-Specific Security Exploits
36(1)
XML Transactional and Identification Concerns
36(1)
Web Service Security Applications
37(1)
Authentication/Authorization
37(1)
Transport Layer
37(1)
Application Layer
37(1)
Security Terms and Concepts
38(21)
DMZ - Demilitarized Zone
38(1)
Transport Layer Security
39(1)
IPSec
39(1)
Firewalls
40(1)
Security by Specific IP
40(1)
Authentication Layer Security
41(1)
Programmatic Authentication
41(1)
Localized Authentication
41(1)
Authentication Services
42(1)
Certificates and Authentication
42(2)
Application Layer Security
44(1)
Public Key Cryptography
44(1)
SOAP Security Extensions
45(1)
Digital Security
46(1)
Digital Signature Provider Standards
46(1)
XML Security/XML Extensions
47(1)
XML Signature Tags
47(1)
XML Extensions
48(1)
XML Digital Signature Standards
48(1)
XKMS
48(1)
XACML, SAML, and XTAML
49(1)
XTASS
49(1)
WS-Security
49(1)
Security Standards Examples
50(1)
Transport Layer Security
50(1)
Firewall and IPSec Diagram
50(1)
Authentication Layer Security
51(1)
Authentication Service
51(1)
Certificates
52(1)
Application Layer Security
53(1)
SOAP Extensions
53(1)
XML Digital Signature
54(1)
Authentication Integration Example
55(1)
Guardian Interaction with School Web Server
55(1)
Interaction Between all Parties with Regard to the Document
56(1)
Transport Layer
56(1)
Authentication Layer
56(3)
Summary
59(2)
Authentication Mechanisms
61(46)
Authentication Mechanisms Overview
62(6)
Desired Features List
62(1)
Support Multiple Versions of Browser
62(1)
Level of Integration with Operating System for User Tracking
63(1)
Firewalls and Proxy Server Integration
63(1)
Level of Encryption Required
63(1)
Level of Client Interaction Needed
63(1)
Level of Programmatic Authentication within the Web Service
63(2)
Situations Overview
65(1)
Corporate Internal
65(1)
Remote Access
66(1)
Internet User
67(1)
Basic Authentication
68(2)
Architecture
69(1)
Internal User
69(1)
External User
69(1)
Pros
69(1)
Cons
69(1)
Basic over SSL
70(2)
Internal User Architecture
71(1)
External User Architecture
71(1)
Pros & Cons for Mechanism
71(1)
Pros
72(1)
Cons
72(1)
The Digest Mechanism
72(3)
Internal User Architecture
73(1)
External User Architecture
74(1)
Pros & Cons for Mechanism
74(1)
Pros
74(1)
Cons
74(1)
NTLM Authentication Mechanism
75(1)
Internal User Architecture
76(1)
Pros & Cons for Mechanism
76(1)
Pros
76(1)
Cons
76(1)
Client Certificates Mechanism
76(3)
Internal User Architecture
77(1)
Client without Certificate
78(1)
Client with Certificate
78(1)
External User Architecture
78(1)
Client without Certificate
78(1)
Client with Certificate
79(1)
Pros
79(1)
Cons
79(1)
Situational Case Example
79(6)
Scenario Description
80(1)
Architecture
80(1)
User Request Flow Diagrams
81(1)
Internal Management Users
81(1)
Remote Marketing Travelers
81(1)
External Marketing Companies
82(1)
Final Analysis and Decision
82(1)
Overall Decision
82(1)
Group by Group Decision
83(1)
Certificate Acquisition Diagram
84(1)
After Certificate Acquisition
84(1)
Project Liberty
85(1)
Security for Web Services
85(1)
What is a Network Identity?
86(1)
What is a Federated Network Identity?
86(1)
What is Liberty Alliance?
86(17)
Services Provided by the Liberty Specification
87(1)
Opt-in Account Linking
87(1)
Simplified Sign-On for Linked Account
87(1)
Global Logout
87(1)
Authentication Context
87(1)
Liberty Alliance Client Feature
88(1)
Specifications
88(1)
Architecture
89(1)
Web Redirection
90(1)
Web Services
90(1)
Metadata and Schemas
90(1)
Liberty Protocols
90(1)
Single Sign-on/Federation Protocol
91(1)
Name Registration
91(1)
Federation Termination Notification (Defederation)
92(1)
Single Logout
92(1)
Identity Federation Termination (Defederation) Protocol
92(1)
Global Logout Protocol
93(1)
Profiles and Bindings
93(2)
Liberty Browser Artifact Single Sign-on Protocol Profile
95(1)
Liberty Browser POST Single Sign-on Protocol Profile
95(1)
Liberty WML POST Profile
95(1)
Liberty Enabled Client and Proxy (LECP) Single Sign-on Protocol Profile
95(1)
Authentication Context Mechanisms
95(1)
Implementation Guidelines
96(1)
Identity Provider
96(1)
Service Provider
96(1)
User Agent
97(1)
Security Requirements
97(1)
Liberty Toolkits
97(1)
Resources
98(1)
Building Liberty Applications
99(1)
Getting Started
99(3)
Creating Liberty Services
102(1)
Other Federated Identity Initiatives
103(1)
Future Directions
103(1)
Summary
103(4)
PKI
107(32)
What is PKI?
108(16)
Cryptography
109(1)
Cryptalgorithms
109(1)
Secret Ciphers
110(2)
Key-based Encryption Algorithms
112(1)
Symmetric Key Algorithms
112(1)
Asymmetric Key Algorithms
113(2)
Hybrid Encryption
115(1)
Drawbacks
115(1)
Cryptanalysis
116(1)
Identity
117(1)
Digital Certificates
118(2)
Applications of Digital Certificates in Web Services
120(1)
Digital Signatures
121(2)
Digital Signature Considerations
123(1)
Quick Review
123(1)
Web Services and PKI
124(4)
Client Certificates
124(1)
PKI-Integrated Applications
124(1)
Internal vs. Delegated PKI
124(1)
Alternative Security Options
125(1)
Application-Level Encryption
125(1)
XML Security
126(1)
SOAP Security Extensions
126(1)
XPKI
126(1)
SAML
126(1)
The Problems
126(2)
Deploying a PKI
128(6)
Full Internal PKI
128(1)
Small Enterprise
128(1)
Large Enterprise
129(1)
Policies
129(1)
Delegated PKI
130(1)
Small Enterprise
130(1)
Large Enterprise
130(1)
Policies
130(1)
Technical View
131(1)
Lack of Understanding
131(1)
Confidence Structure for Key Management
131(1)
Vendor Product Partitioning
131(1)
RSA
132(1)
Entrust
132(1)
Baltimore
132(1)
Verisign
132(1)
Enterprise View
132(1)
Comprehensive Security
132(1)
Security for Prospective Customers
133(1)
Expense Component
133(1)
What We Really Need
133(1)
What's Really Available
133(1)
How much it All Costs
133(1)
PKI and Web Services: The Big Picture
134(3)
The Client
135(1)
Client Applications
135(1)
Web Browsers
135(1)
Web Servers
135(1)
PKI Support
136(1)
Summary
137(2)
SSL
139(42)
What is SSL?
140(5)
Origins
140(1)
What Does SSL Provide?
141(1)
What Doesn't SSL Provide?
142(1)
Client and Server Certificates
142(1)
Front-to-Back (or End-to-End) Security
143(2)
Why Do We Need SSL?
145(2)
HTTP
145(1)
Data is Open to Inspection
145(1)
Inability to Establish Participant Identities
145(1)
Server Destination
146(1)
Client Identity via Passwords
146(1)
No Guarantee of Data Integrity
147(1)
The SSL Solution
147(1)
How Does SSL Work?
147(8)
Overview
147(1)
The SSL Handshake Protocol
148(3)
The SSL Record Protocol
151(1)
Keeping Data Secure and Sound
152(1)
Session Security
152(1)
Symmetric Key Algorithms
152(1)
Data Encryption Standard (DES)
152(1)
Triple DES
153(1)
RC4
153(1)
IDEA
153(1)
Asymmetric Key Algorithms for Authentication
153(1)
RSA
153(1)
Message Integrity
153(1)
Secure Message Hashing
154(1)
Hashing Algorithms
154(1)
Operational Review
155(20)
SSL -- Two Views
155(1)
The Server
155(1)
Example - Creating a Server Certificate Request
156(6)
Forwarding the Request to the CA
162(3)
Installation of the Certificate
165(3)
The Client
168(1)
Example - Installing a Client Certificate
168(7)
SSL -- Limits, Caveats, and Successors
175(1)
Security
175(1)
Negatives
175(1)
Positives
175(1)
The Reality
175(1)
Caveats
176(1)
Successors
176(1)
How can Web Services take Advantage of SSL?
176(3)
SSL is Architecturally External
177(1)
Identity Validation
177(1)
Communication Security and Integrity
178(1)
The Cost of Security and Integrity
178(1)
Summary
179(2)
XML Signature
181(42)
Why XML Signature?
182(3)
Multiple Signatures
185(1)
Persistent Signatures
185(1)
Web Services and Signatures
185(2)
XML
185(1)
Remote Referecing
186(1)
Multiple Parties
187(1)
XML Signature Overview
187(6)
Basic XML Signature Structure
188(1)
Example: Detached Signature
189(1)
Example: Enveloping Signature
190(2)
Example: Enveloped Signature
192(1)
Example: Detached Signature and External Reference
193(1)
XML Signature Processing Steps
193(4)
XML Signature Generation
194(1)
Calculate the Digest of Each Resource
195(1)
Create the <SignedInfo> Element
195(1)
Generate the Signature Value
195(1)
Create the <Signature> Element
196(1)
XML Signature Validation
196(1)
Reference Validation
196(1)
Signature Validation
196(1)
Processing Instructions and Comments
197(1)
XML Processing Constraints
197(2)
Basic XML Processing
198(1)
DOM and SAX Processing
199(1)
XML Namespace Processing
199(1)
Character Encoding
199(1)
XML Signature Syntax
199(12)
Core Syntax
200(1)
The <Signature> Element
200(1)
The <SignatureValue> Element
200(1)
The <SignedInfo> Element
201(1)
The <CanonicalizationMethod> Element
201(1)
The <SignatureMethod> Element
202(1)
The <Reference> Element
202(2)
The Reference Processing Model
204(1)
The <Transforms> Element
205(1)
The <Transform> Element
206(1)
The <DigestMethod> Element
206(1)
The <DigestValue> Element
206(1)
The <KeyInfo> Element
206(1)
The <Object> Element
207(1)
Optional Signature Syntax
208(1)
The <Manifest> Element
208(1)
The <SignatureProperties> Element
209(1)
Processing Instructions and Comments
210(1)
Algorithms
211(4)
Message Digest
211(1)
SHA-1
211(1)
MD5
212(1)
Message Authentication Codes
212(1)
Signature Algorithms
213(1)
Canonicalization Algorithms
213(1)
Transform Algorithms
214(1)
User-Specified Algorithms
214(1)
Defining a User-Specified Algorithm
215(1)
Security Considerations
215(2)
Transform Considerations
215(1)
Only What is Signed is Secure
215(1)
Only What is Seen Should be Signed
216(1)
See What is Signed
216(1)
Security Model Considerations
216(1)
Other Considerations
217(1)
Implementations
217(3)
XML Signature Web Services
217(1)
XML Signature Toolkits
217(1)
Example: Create XML Signature Using .NET Framework
218(2)
Example: Verify XML Signature Using .NET Framework
220(1)
Limitations
220(1)
Summary
221(2)
XML Encryption
223(38)
Why XML Encryption?
224(3)
Encrypting Parts of a Document
224(1)
Multiple Encryptions
224(2)
Persistent Storage
226(1)
Web Services and XML Encryption
226(1)
XML Representation
226(1)
Multiple Parties
226(1)
XML Encryption Overview
227(1)
Basic XML Encryption Structure
227(1)
EncryptedData
227(1)
EncryptedKey
228(1)
XML Encryption Examples
228(10)
Encrypting the Entire XML Element
229(2)
Encrypting the XML Element's Content
231(1)
Encrypting XML Character Content
231(1)
Encrypting the XML Document
232(1)
Encrypting Arbitrary Content
232(1)
Option 1: Not using XML Encryption
233(1)
Option 2: Encrypt the Element Containing the Reference
233(1)
Option 3: Use <CipherReference> of XML Encryption
234(1)
Add it as a Child of the Image Element
234(1)
Refer from the Image Element
235(1)
Encrypting EncryptedData Element
236(1)
Adding Key Information
236(1)
Encrypting the Encryption Key
237(1)
XML Encryption Grammar
238(4)
The EncryptedData Element
239(1)
The EncryptedKey Element
240(1)
The CipherReference Element
241(1)
The EncryptionProperties Element
241(1)
Carrying Key Information
242(4)
Using ds:KeyInfo to Carry Key information
243(1)
Via ds:KeyName Element
243(1)
Via ds:RetrievalMethod Element
243(1)
Via Additional Elements of ds:KeyInfo
244(1)
Using EncryptedKey to Carry Key Information
245(1)
Which Option to Use?
245(1)
Encryption Guidelines for XML Documents
246(2)
Serialization Guidelines for XML Fragments
246(1)
Encryption Guidelines for Arbitrary Data
247(1)
Algorithms
248(4)
Block Encryption
248(1)
Key Transport
248(1)
Key Agreement
249(1)
Symmetric Key Wrap
249(1)
Message Digest
249(1)
Message Authentication
250(1)
Canonicalization
250(1)
Inclusive Canonicalization
250(1)
Exclusive Canonicalization
251(1)
Encoding
251(1)
Relationship with the XML Signature
252(4)
Decryption Transform
252(1)
Example use of the dcrpt:Except Element
252(2)
Modes of Operation
254(1)
Restrictions and Limitations of the XML Mode of Operation
254(2)
Security Considerations
256(1)
Plain Text Guessing Attacks
256(1)
Sign What You See
257(1)
Symmetric Key
257(1)
Initialization Vector
257(1)
Denial of Service
257(1)
Limitations
257(1)
Future Directions
258(1)
Implementations
258(1)
XML Encryption Toolkits
259(1)
Summary
259(2)
XKMS
261(42)
Key Management Issues
262(3)
PKI Complexities
262(1)
Example: MyTravels.com
262(3)
XKMS Overview
265(3)
XKMS Services
265(1)
Example using XKMS Services
266(2)
XKMS Benefits
268(1)
XKMS Namespaces
268(1)
XKISS and XKRSS
268(1)
XML Key Information Specification
268(12)
XKISS Services
269(1)
Locate Service
270(1)
Locate Service Example
270(1)
Locate Request
271(1)
Locate Response
271(1)
Validate Service
272(1)
Validate Service Example
273(1)
Validate Request
273(1)
Validate Response
274(1)
Ensuring the Validity of XKISS Service Response
275(1)
XKISS Message Specification
275(1)
Locate Request Message
276(1)
Locate Response Message
276(1)
Validate Request Message
276(1)
Validate Response Message
277(1)
Respond Element
277(1)
Result Element
278(1)
KeyBinding Element
279(1)
XML Key Registration Specification
280(8)
Key Registration
280(1)
Example: Client-Generated Key Pair
281(1)
Registration Request
281(1)
Registration Response
282(1)
Service-Generated Key Pair
283(1)
Key Reissue
284(1)
Key Revocation
284(1)
Revoke Request
284(1)
Key Recovery
285(1)
Request Authentication
285(1)
XKRSS Message Specification
286(1)
Prototype Element
286(1)
AuthInfo Element
286(1)
AuthUserInfo Element
286(1)
AuthServerInfo Element
287(1)
Register Request Message
287(1)
Reissue, Revoke, and Recover Request Messages
288(1)
Register Response Message
288(1)
Reissue, Revoke, and Recover Response Messages
288(1)
SOAP Binding
288(1)
Bulk Operations
289(3)
Bulk Registrations Uses
289(1)
X-BULK Specification
289(1)
X-BULK Request
290(1)
X-BULK Response
291(1)
Security Considerations
292(1)
Replay Attacks
292(1)
Denial of Service
293(1)
Recovery Policy
293(1)
Limited Use Shared Data
293(1)
Future of XKMS
293(1)
Implementations
294(6)
Client Side Technologies and Options
294(1)
Server Side Options
295(1)
XKMS Implementations
296(1)
Verisign Implementation
297(1)
Verisign Client Toolkit
297(1)
Register a Client Generated Keypair
298(1)
Locate a Key using KeyName
299(1)
Summary
300(3)
SAML
303(52)
What is SAML
303(5)
Who's Behind SAML
304(1)
Why SAML is needed
304(1)
The SAML Specification
305(1)
Assertions
305(1)
Protocols
305(1)
Bindings
306(1)
Profiles
307(1)
Benefits of SAML
307(1)
The SAML Specification Documents
308(28)
Use Cases
308(1)
Requirements
309(1)
Single Sign-on Use Case
309(1)
Pull Scenario
309(1)
Push Scenario
310(1)
Third-Party Scenario
311(1)
Authorization Use Case
312(1)
Back-Office Transaction Use Case
313(1)
The Back-Office Transaction Scenario
313(1)
The Third-Party Security Service Scenario
314(1)
Intermediary Add Service Scenario
315(1)
User Session Use Case
316(1)
Session Management
316(1)
Requirements
316(1)
Single Sign-on Use Case
317(1)
Time-out Use Case
317(1)
Logout Use Case
318(1)
Session Management Messages
319(1)
The Core Specification
320(1)
Assertions
320(3)
The <Assertion> Element
323(1)
The <Conditions> Element
324(1)
The <Subject> Element
325(1)
The <AuthenticationStatement> Element
326(1)
The <AttributeStatement> Element
327(1)
The <AuthorizationDecisionStatement> Element
328(1)
Protocol Request and Response
328(1)
Request
328(1)
RequestAbstractType
329(1)
The <Request> Element
330(1)
Response
330(2)
The <Response> Element
332(1)
XML Digital Signature
333(1)
Bindings
334(1)
Profiles
335(1)
Push or Browser Post Profile
336(1)
Pull or Browser Artifact Profile
336(1)
Key Standards and Specifications Related to SAML
336(2)
Products and Toolkits
338(10)
Netegrity's JSAML Toolkit
341(1)
JSAML's API
341(1)
Assertion Classes
341(1)
Protocol Classes
342(1)
Digital Signature Classes
342(1)
The Content Portal Example using JSAML
342(1)
Redirect Web Service
343(2)
Syndicated Web Service
345(3)
Liberty Alliance, Microsoft Passport, and SAML
348(4)
Liberty Alliance Overview
349(1)
Liberty Alliance Objectives
349(1)
Functional Requirements
350(1)
Identity Federation
350(1)
Pseudonyms
350(1)
Global Logout
350(1)
Authentication
350(1)
Liberty Alliance Specification Documents
351(1)
Overview of the Specification Documents
351(1)
Liberty Architecture Overview
351(1)
Liberty Bindings and Profiles Specification
351(1)
Liberty Protocols and Schemas Specification
351(1)
Liberty Authentication Context Specification
352(1)
Liberty Architecture Implementation Guidelines
352(1)
Recent Developments
352(1)
The Future of SAML
352(1)
Summary
353(2)
XACML
355(36)
Who's behind XACML?
355(1)
The Need for XACML
356(1)
Access Control Lists
357(2)
AclEntry Interface
357(1)
ACL Interface
358(1)
Group Interface
359(1)
SAML and Roles Database
359(3)
The XACML Specification Documents
362(27)
Application Use Cases
363(1)
Use Case 1: Online Access Control
363(1)
Use Case 2: Policy Provisioning
364(1)
Use Case 3: SAML Authorization Decision Request
365(1)
Use Case 4: Attribute-Dependent Access Control on XML Resources
365(2)
Use Case 5: Requester-Dependent Access Control on XML Resources
367(1)
Use Case 6: Provisional Access Control on XML Resources
368(1)
Use Case 7: Provision User for Third-Party Service
369(1)
Committee Working Draft
370(1)
Requirements
370(1)
XACML Context
371(1)
Policy Language Model
372(1)
Policy
372(1)
PolicySet
373(1)
Target
373(1)
Rule
373(1)
Obligations
373(1)
Effect
373(1)
Policy Language Model Syntax
374(3)
PolicySet Element
377(1)
Target Element
378(1)
Policy Element
379(1)
Rule Element
380(1)
Obligation Element
380(1)
XACML Access Control XML Example
381(1)
Tax Record
381(1)
XACML Request
382(2)
Request Element
384(1)
Attribute Element
384(1)
XACML Response
384(1)
Response Element
385(1)
Decision Flow
386(1)
PDP
386(1)
Policy and PolicySet
387(1)
PEP
388(1)
The Future of XACML
389(1)
Summary
389(2)
WS-Security
391(28)
What is WS-Security?
392(1)
An Umbrella of Security for Web Services
392(24)
Design Principles
392(1)
Decentralization
392(2)
Modularity
394(1)
Transport Neutrality
395(2)
Application Domain Neutrality
397(1)
Different Aspects of Security
397(1)
Brief Explanation of the WS-Security Schema
397(2)
The licenseLocation Element
399(1)
The credentials Element
399(1)
The Integrity and Confidentiality Elements
399(1)
The Security Element
400(2)
Message Integrity
402(1)
XML Signatures
403(1)
The Signature Element
404(1)
Transforms
405(1)
Algorithm for Digital Signature
405(1)
The Keylnfo Element
405(1)
Preventing Replay Attacks using the <Timestamp> Element
405(2)
Security Token Propagation
407(1)
Username Token
407(1)
Binary Security Token
408(1)
Security Token Reference Element
409(1)
Message Confidentiality
409(3)
Credentials Transfer
412(2)
Putting it All Together
414(2)
Advantages of WS Security
416(1)
Limitations
417(1)
Summary
417(2)
P3P
419(34)
Understanding Privacy
420(5)
Privacy Concerns
420(1)
Web Site Surveillance Techniques
421(1)
Browser and Server Logs
422(1)
Cookies
422(1)
Web Bugs
423(1)
Spyware
424(1)
Privacy Solutions
424(1)
Privacy Policies
424(1)
Privacy Certification Programs
424(1)
Privacy Laws and Organizations
425(1)
Software Tools
425(1)
History of P3P
425(1)
Understanding P3P
426(8)
How does P3P Work?
427(2)
Understanding the Specification
429(1)
Example of a P3P Policy file
429(3)
Compact Policies
432(2)
P3P Tools
434(6)
Internet Explorer 6.0
435(2)
AT&T Privacy Bird
437(2)
IBM P3P Policy Editor and Parser
439(1)
Implementing P3P on Your Site
440(8)
Overview
441(1)
Planning and Development
442(1)
What does a Policy Cover?
442(1)
Create a Natural Language Privacy Policy for your Company
442(1)
How many Policies for your Site?
443(1)
Where will you Place the Policy Reference File?
443(1)
Will you Provide Compact Policies?
443(1)
Will you have Policies Specific to Cookies?
443(1)
How will you Handle Policy Updates?
444(1)
Create the P3P Policy for your Site
444(1)
Create a Policy Reference File
444(1)
Deployment
444(1)
Place the Policy Files
445(1)
Configure the Web Server for P3P Compact Policies
445(1)
Apache
445(1)
Microsoft Internet Information Server (IIS)
446(1)
Test the Site
447(1)
Tracking and Maintaining P3P policies
447(1)
P3P and Web Services
448(1)
Challenges to P3P Deployment
449(1)
Lack of Interest in Protecting Users' Privacy
449(1)
Lack of Enforcement
449(1)
EU Recommendation
450(1)
Expensive to Maintain and Implement
450(1)
The Future of P3P
450(1)
Summary
451(2)
J2EE Web Services: Case Study
453(46)
Case Study Overview
453(2)
Configuration
454(1)
Installation Instructions
454(1)
Verifying the Installation
455(1)
Version 0.1
455(20)
Application Tour
456(1)
Web Services
457(1)
getAccounts Web Service
457(1)
getAccountBalance Web Service
458(1)
transferFunds Web service
459(1)
Java Code
460(1)
AccountBalancesPanel.java
460(2)
BankGateway.java
462(2)
Client.java
464(4)
GetInfoActionListener.java
468(1)
TransferFundsListener.java
469(2)
TransferFundsPanel.java
471(1)
Bank.java
472(2)
deploy.wsdd
474(1)
Run the Application
474(1)
Version 0.2
475(12)
XML Signatures
475(1)
Creating Keys and a Certificate
475(1)
Revising the Application
476(1)
getAccounts with an XML Signature
476(2)
Java Code
478(1)
AddSignature.java
479(1)
SecurityUtils.java
480(1)
SignedSOAPEnvelope.java
481(3)
ValidateSignature.java
484(2)
serverdeploy.wsdd
486(1)
client-config.wsdd
486(1)
Run the Application
487(1)
Version 0.3
487(9)
XML Encryption
488(1)
Verisign Trust Services Integration Kit
488(1)
Revising the Application
488(1)
getAccountBalance Web Service with XML Signature and XML Encryption
488(2)
Java Code
490(1)
Encrypt.java
490(2)
Decrypt.java
492(1)
SecurityUtils.java
493(2)
Run the Application
495(1)
Summary
496(3)
.NET Web Services: Case Study
499(54)
Web Service Framework Architecture
499(1)
Web Services Security Architecture
500(1)
Case Study: WROX Bank
501(1)
Authentication and Credentials
501(1)
Message Confidentiality
502(1)
Message Integrity
502(1)
The OpenService Web Service
502(16)
The Web Service in a Web Browser
503(4)
The SOAP Messages for the Web Service
507(1)
Creating a Client Application
508(3)
Generating a Proxy for the Web Service
511(1)
Client Application
511(5)
Pitfalls of our Web Service
516(1)
Eavesdropping
517(1)
Data Modification
517(1)
Identity Spoofing (IP Address Spoofing)
517(1)
Man-in-the-Middle Attack
517(1)
Sniffer Attack
517(1)
Creating and Configuring a Web Service for Basic HTTP Authentication in IIS
518(5)
IIS Authentication
518(1)
IP/DNS Security
518(1)
Windows Security
518(1)
Creating the Basic HTTP Authentication Service
519(1)
Creating the Basic HTTP Authentication Client
519(3)
Pitfalls of Basic HTTP Authentication
522(1)
Creating and Configuring a Web Service for SOAP Headers
523(4)
Creating the Client for the SOAPHeaderService
526(1)
Cryptography and Web Services
527(13)
Cryptographic Algorithms in .NET
528(1)
Stream Oriented Design
528(1)
Symmetric Algorithms
528(1)
Asymmetric Algorithms
529(1)
Hashing Algorithms
529(1)
Using Cryptography in Message Encryption
529(1)
Creating the SOAP Encryption Web Service
530(1)
Extending the Credentials Object
530(2)
Passing the Public Key to the Client Application
532(1)
Creating the GetAccountBalance() Method
533(3)
Creating the TransferMoney() Method
536(1)
Creating the SOAP Encryption Client Code
537(1)
Coding of Client Side Encryption
537(1)
The EncryptHeaderInformation() Method
538(2)
Pitfalls to be Wary Of and Precautions to be Taken
540(1)
Digitally Signing SOAP Messages
540(1)
A WSDK Service
541(9)
Configuration of the Certificate Store on the Server
542(1)
Setting up the Web Service
542(3)
Setting up the WSDK Client
545(1)
Adding a Proxy Object to the WSDK Web Service
545(1)
The GetInfo_WSDKService() Method
546(2)
The GetCertificate() Method
548(1)
The GetToken() Method
548(1)
The TransferMoney_WSDKCertificate() method
549(1)
Advantages and Pitfalls of the WSDKService
550(1)
Summary
550(3)
Appendix A: Toolkits 553(4)
Resources
553(1)
Standards Chart
554(3)
Appendix B: Tomcat/Axis Installation 557(10)
Tomcat Windows Installer
558(3)
NT Service
558(1)
JSP Development Shell Extensions
559(1)
Start Menu Group
559(1)
Tomcat Documentation
559(1)
Example Web Applications
559(1)
Source Code
559(1)
Setting Environment Variables
559(1)
%Catalina_Home%
560(1)
Windows 9x-and ME-Specific Issues
560(1)
Installing Tomcat On Windows Using the ZIP File
561(1)
Installing Tomcat On Linux
561(2)
Viewing the Default Installation
563(1)
Installing Axis
563(4)
Appendix C: Tomcat SSL Configuration 567(4)
Generating Keystores and Certificates
567(1)
Tomcat Configuration
568(3)
Deployment of Secure Web Service
568(3)
Index 571

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program