Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
What is included with this book?
Forewords | p. xx |
Introduction | p. 1 |
Who This Book Is For | p. 1 |
About This Book | p. 1 |
How This Book Is Organized | p. 2 |
Basic Concepts of Web Services Security | p. 5 |
Web Services Basics: XML, SOAP, and WSDL | p. 6 |
XML and XML Schema | p. 6 |
SOAP | p. 7 |
WSDL | p. 9 |
UDDI | p. 9 |
Application Integration | p. 9 |
B2B Business Process Integration | p. 10 |
Portals | p. 11 |
Service-Oriented Architectures | p. 11 |
Definition of Web Services | p. 12 |
Security Basics | p. 12 |
Shared Key and Public Key Technologies | p. 13 |
Security Concepts and Definitions | p. 16 |
Web Services Security Basics | p. 19 |
XML Signature | p. 19 |
XML Encryption | p. 20 |
SAML | p. 20 |
WS-Security | p. 21 |
Trust Issues | p. 22 |
Other WS-Security-Related Specs | p. 22 |
Summary | p. 22 |
The Foundations of Web Services | p. 25 |
The Gestalt of Web Services | p. 25 |
Application Integration | p. 25 |
The Evolution of Distributed Computing | p. 28 |
The Inevitability of Web Services | p. 32 |
Security Challenges | p. 35 |
XML: Meta-Language for Data-Oriented Interchange | p. 37 |
Where XML Came From and Why It's Important | p. 38 |
XML and Web Services | p. 39 |
XML Namespaces | p. 39 |
XML Schema | p. 42 |
XML Transformations | p. 43 |
XML's Role in Web Services Security | p. 46 |
SOAP: XML Messaging and Remote Application Access | p. 49 |
Where SOAP Came From and Why It's Important | p. 50 |
SOAP Envelope | p. 52 |
SOAP Header | p. 53 |
SOAP Body | p. 53 |
SOAP Processing | p. 55 |
SOAP Attachments | p. 55 |
SOAP and Web Services Security | p. 55 |
WSDL: Schema for XML/SOAP Objects and Interfaces | p. 56 |
Where WSDL Came From and Why It's Important | p. 56 |
WSDL Elements | p. 58 |
WSDL and SOAP | p. 61 |
WSDL and Web Services Security | p. 61 |
UDDI: Publishing and Discovering Web Services | p. 62 |
ebXML and RosettaNet: Alternative Technologies for Web Services | p. 65 |
The Web Services Security Specifications | p. 65 |
Summary | p. 67 |
The Foundations of Distributed Message-Level Security | p. 69 |
The Challenges of Information Security for Web Services | p. 69 |
Security of Distributed Systems Is Hard | p. 69 |
Security of Exchanged Information (Messages) Is Harder | p. 70 |
Security of Web Services Is Hardest | p. 71 |
Shared Key Technologies | p. 72 |
Shared Key Encryption | p. 72 |
Kerberos | p. 75 |
Limitations of Shared Key Technologies | p. 76 |
Public Key Technologies | p. 76 |
Public Key Encryption | p. 76 |
Limitations of Public Key Encryption | p. 79 |
Digital Signature Basics | p. 80 |
A Digital Signature Expressed in XML | p. 85 |
Public Key Infrastructure | p. 86 |
SSL Transport Layer Security | p. 97 |
Summary | p. 102 |
Safeguarding the Identity and Integrity of XML Messages | p. 105 |
Introduction To and Motivation for XML Signature | p. 105 |
A W3C Standard | p. 105 |
Critical Building Block for WS-Security | p. 105 |
Close Associations with Web Services Security | p. 106 |
The Goal of Ensuring Integrity (and Usually Identity) and Non-repudiation Persistently | p. 106 |
XML Signature and XML Encryption: Fundamental Web Services Security Technologies | p. 106 |
XML Signature Fundamentals | p. 107 |
XML Signature Structure | p. 107 |
Basic Structure | p. 108 |
Specifying the Items Being Signed | p. 109 |
Types of XML Signatures | p. 109 |
The Signature Element Schema | p. 113 |
XML Signature Processing | p. 116 |
XML Signature Generation | p. 117 |
XML Signature Validation | p. 119 |
The XML Signature Elements | p. 120 |
The SignedInfo Element | p. 120 |
The CanonicalizationMethod Element and Canonicalization | p. 120 |
The SignatureMethod Element | p. 125 |
The Reference Element | p. 125 |
The Transform Element | p. 127 |
The DigestMethod Element | p. 132 |
The DigestValue Element | p. 133 |
The SignatureValue Element | p. 133 |
The Object Element | p. 133 |
The KeyInfo Element | p. 137 |
Security Strategies for XML Signature | p. 140 |
Using Transforms | p. 140 |
Knowing the Security Model | p. 141 |
Knowing Your Keys | p. 142 |
Signing Object Elements | p. 142 |
Signing DTDs with Entity References | p. 142 |
Summary | p. 144 |
Ensuring Confidentiality of XML Messages | p. 147 |
Introduction to and Motivation for XML Encryption | p. 147 |
Relating XML Encryption and XML Signature | p. 147 |
Critical Building Block for WS-Security | p. 148 |
The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients | p. 149 |
Think Shared Key Cryptography When You Think of XML Encryption | p. 149 |
XML Encryption Will Become Part of the Infrastructure Like XML Signature | p. 149 |
XML Encryption Fundamentals | p. 150 |
XML Encryption Structure | p. 151 |
EncryptedData: The Core of XML Encryption | p. 151 |
EncryptedData Schema | p. 152 |
EncryptedType | p. 153 |
EncryptionMethod | p. 154 |
CipherData | p. 154 |
EncryptionProperties | p. 155 |
KeyInfo | p. 156 |
EncryptedKey | p. 157 |
AgreementMethod | p. 159 |
ReferenceList | p. 160 |
CarriedKeyName | p. 161 |
Super Encryption | p. 162 |
XML Encryption Processing | p. 163 |
Encryption Process | p. 163 |
Decryption Process | p. 164 |
Using XML Encryption and XML Signature Together | p. 165 |
The Decryption Transform for XML Signature | p. 168 |
XML Encryption and XML Signature Strategies | p. 175 |
Summary | p. 176 |
Portable Identity, Authentication, and Authorization | p. 177 |
Introduction to and Motivation for SAML | p. 178 |
The Problems SAML Addresses | p. 179 |
Transporting Identity or "Portable Trust" | p. 181 |
The Concept of Trust Assertions | p. 181 |
How SAML Works | p. 181 |
SAML Assertions | p. 184 |
SAML Producers and Consumers | p. 188 |
SAML Protocol | p. 189 |
Authorization Request | p. 191 |
SAML Bindings | p. 192 |
SAML Profiles | p. 194 |
Using SAML with WS-Security | p. 195 |
The WS-Security SAML Profile | p. 196 |
Applying SAML: Project Liberty | p. 197 |
The Identity Problem | p. 197 |
Federated Identity | p. 197 |
How Liberty Uses SAML | p. 198 |
The Microsoft Passport Alternative Approach | p. 199 |
Summary | p. 200 |
Building Security into SOAP | p. 201 |
Introduction to and Motivation for WS-Security | p. 201 |
Problems and Goals | p. 201 |
The Origins of WS-Security | p. 205 |
WS-Security Is Foundational | p. 206 |
Extending SOAP with Security | p. 206 |
Security Tokens in WS-Security | p. 208 |
UsernameToken | p. 209 |
BinarySecurityTokens | p. 212 |
XML Tokens | p. 215 |
Referencing Security Tokens | p. 220 |
Providing Confidentiality: XML Encryption in WS-Security | p. 222 |
Shared Key XML Encryption | p. 222 |
Wrapped Key XML Encryption | p. 223 |
Encrypting Attachments | p. 224 |
WS-Security Encryption Summary | p. 227 |
Providing Integrity: XML Signature in WS-Security | p. 227 |
XML Signature for Validating a Security Token | p. 227 |
XML Signature for Message Integrity | p. 228 |
XML Signature in WS-Security Considerations | p. 228 |
WS-Security XML Signature Example | p. 228 |
Signing a Security Token Reference | p. 229 |
Message Time Stamps | p. 230 |
Summary | p. 232 |
Communicating Security Policy | p. 235 |
WS-Policy | p. 235 |
WS-Policy and WSDL | p. 236 |
WS-Policy and WS-SecurityPolicy | p. 236 |
The WS-Policy Framework | p. 237 |
WS-Policy Details | p. 238 |
WS-PolicyAssertions | p. 240 |
WS-PolicyAttachment | p. 241 |
Specifying WS-Policy in WSDL | p. 242 |
WS-SecurityPolicy | p. 245 |
SecurityToken | p. 245 |
Integrity | p. 248 |
Confidentiality | p. 250 |
Visibility | p. 251 |
SecurityHeader | p. 252 |
MessageAge | p. 253 |
Summary | p. 253 |
Trust, Access Control, and Rights for Web Services | p. 255 |
The WS-* Family of Security Specifications | p. 255 |
WS-* Security Specifications for Trust Relationships | p. 258 |
WS-* Security Specifications for Interoperability | p. 265 |
WS-* Security Specifications for Integration | p. 269 |
XML Key Management Specification (XKMS) | p. 272 |
Origins of XKMS | p. 272 |
Goals of XKMS | p. 272 |
The XKMS Services | p. 273 |
eXtensible Access Control Markup Language (XACML) Specification | p. 279 |
The XACML Data Model | p. 280 |
XACML Operation | p. 281 |
XACML Policy Example | p. 282 |
eXtensible Rights Markup Language (XrML) Management Specification | p. 284 |
The XrML Data Model | p. 285 |
XrML Use Case Example | p. 285 |
Summary | p. 290 |
Building a Secure Web Service Using BEA's WebLogic Workshop | p. 293 |
Security Layer Walkthrough | p. 294 |
Transport-Level Security | p. 295 |
Message-Level Security | p. 296 |
Role-Based Security | p. 297 |
WebLogic Workshop Web Service Walkthrough | p. 297 |
Transport Security | p. 302 |
Message-Based Security | p. 312 |
Summary | p. 330 |
Security, Cryptography, and Protocol Background Material | p. 331 |
The SSL Protocol | p. 331 |
Testing for Primality | p. 333 |
RSA Cryptography | p. 334 |
Choosing RSA Key Pairs | p. 335 |
Padding | p. 335 |
RSA Encryption | p. 335 |
RSA Decryption | p. 336 |
DSA Digital Signature Algorithms | p. 336 |
DSA Key Generation | p. 336 |
DSA Algorithm Operation | p. 337 |
Block Cipher Processing | p. 337 |
Block Cipher Padding (PKCS#5) | p. 337 |
Block Cipher Feedback | p. 338 |
DES Encryption Algorithm | p. 338 |
AES Encryption Algorithm | p. 339 |
Hashing Details and Requirements | p. 339 |
Motivation for Using Hash Functions | p. 340 |
Requirements for Digital Signature | p. 340 |
SHA1 | p. 340 |
Collision Resistance | p. 341 |
Security | p. 341 |
Simplicity and Efficiency | p. 341 |
Silvio Micali's Fast Validation/Revocation | p. 341 |
Validity Check | p. 342 |
Revocation | p. 343 |
Canonicalization of Messages for Digital Signature Manifests | p. 343 |
Canonicalization V1 Transform Steps | p. 343 |
Canonicalization Subtleties: Exclusive Canonicalization | p. 344 |
Base-64 Encoding | p. 345 |
PGP | p. 346 |
Glossary | p. 347 |
Index | p. 367 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.