Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic

Weblogic: Article

Web Services Security Progress Report

Moving forward - and on schedule

For the past several years there has been widespread agreement that the adoption of Web services for production applications will be limited, particularly for B2B transactions, until standardized security mechanisms, designed specifically for Web services, become available. While some applications can be adequately protected using the familiar SSL and TLS security protocols, their limitations make them unsatisfactory for many others.

For these reasons work began more than 18 months ago to standardize new security mechanisms specifically designed for the Web services environment. This article summarizes the work so far, describes what user organizations can expect in the near term, and discusses some of the missing pieces that are yet to come.

In September of 2002 the Web Services Security Technical Committee (WSS TC) was formed at OASIS to standardize mechanisms for protecting SOAP messages. The starting point for this work was a document previously published by IBM, Microsoft, RSA, and VeriSign entitled "WS-Security." The primary features of this specification are methods to digitally sign and encrypt portions of SOAP messages and methods to include in the messages the keys and identities associated with these signature and encryption operations.

The Web Services Security (WSS) specifications mostly define how existing XML security mechanisms should be applied in a SOAP message environment. For example, they reuse XML Digital Signature and XML Encryption (both W3C Recommendations). One of the key concepts in WSS is a token. A token is a data structure that associates an identity with a password or the key used to digitally sign or encrypt data. WSS defines a specific type of token, called a Username token, which is used with password authentication. The Username token includes the user's name and optionally a password (in the clear or hashed) that can be authenticated by the receiver, as well as other features to prevent replay.

While WSS had to invent a Username token there are already standards for many other types of tokens. WSS defines a Binary token, which is just a wrapper for tokens that are not in XML format, such as X.509 Certificates and Kerberos Tickets. Tokens such as SAML Assertions and XrML Licenses, which are XML, are inserted as-is. The ability to support many different token types allows WSS to be used in a wide variety of environments.

WSS also defines a Security Token Reference that can be used in place of an actual token to refer to a token that appears elsewhere in the message or at some external location. There is also a Timestamp element that allows the sender to specify a date/time at which a message was created or should expire.

It is important to understand both the features and limitations of WSS. First, it deliberately does not define a secure protocol the way Kerberos and SSL/TLS do. It merely specifies a number of mechanisms that may be combined in various ways. The problem is that the security properties of any message exchange depend on every aspect of the messages. It is not uncommon for a small change to have a quite unexpected effect.

The flexibility of the specification also creates the possibility of lack of interoperability between different vendors' products. The initial testing has been largely successful, but some incompatibilities have been discovered and corrected. The WS-I Basic Security Profile (discussed later) will further strengthen interoperability by reducing some of the options and clarifying some of the processing rules.

WSS does not address the problem of the description of the security mechanisms and capabilities used by a particular Web service. There are no WSDL features defined. The intended solution to this issue is the use of Policy advertisement mechanisms. A draft set of WS-Policy specifications has been published by BEA Systems, IBM, Microsoft, and SAP; and includes security policy. These specifications are being worked on intensively and will be submitted to a standards organization later this year. However, at the moment information about required signatures and tokens, for example, must be exchanged by some unspecified method, such as a phone call.

Another limitation to WSS is that most of the more complex Web services scenarios are quite speculative today. Most authorities agree that the use of Intermediaries is an important and powerful feature of SOAP. However, there is little agreement on precisely how these Intermediaries will behave and what their security requirements will be. Until more complex scenarios have been constructed and their security properties analyzed, this will remain a murky area. This means there will be plenty of scope for both interoperability problems and security weaknesses.

The OASIS TC made numerous changes to the original specification, improving it overall. Some features were added and some were cut. Language was tightened and clarified. The most noticeable change was to split the specification into several documents. A core specification describes the various mechanisms and a series of Token Profiles describe each Token type. It was decided to focus on the core specification and the Username and X.509 Profiles as the first set of specifications to complete. In the summer of 2003, a dozen or so vendors participated in interoperability testing of software based on the then current specifications. In most cases this was prototype code built on existing products. The testing identified some areas that needed clarification as well as some common errors to be avoided.

In September 2003, the TC approved the three specifications as OASIS Committee Drafts. As specified by the OASIS Process, this was followed by a 30-day public review. The comments received from this review, including an extensive set from the W3C XML Protocol Working Group and the WS-I Basic Security Profile Working Group, led to further changes in the specifications. Finally in January 2004 the modified specifications were re-approved as Committee Drafts and submitted to the OASIS membership for approval as an OASIS Standard. This process has not been completed at the time this is being written, but normally takes about 60 days.

Work has begun to complete the SAML Token Profile, the XrML Token Profile, and the Kerberos Token Profile. These will probably be completed, in that order, during 2004. Several other specifications have been proposed, including a Minimal Profile, intended for use in devices like PDAs and cell phones; a Receipt Profile; and a Biometric Token profile. It is unclear whether any or all of these will be approved by the TC.

In March of 2003 WS-I chartered a Basic Security Profile (BSP) Working Group that was given two deliverables. The first was a set of usage scenarios. The reason for this was that it was observed that many existing Web services usage scenarios contained information that was irrelevant to security considerations and at the same time lacked critical details needed to select security mechanisms. The intention is to review this document widely both within and outside WS-I to get general agreement that the proper set of security requirements is being addressed. The usage scenarios will also serve the purpose of providing background to non-specialists on the security objectives and mechanisms relevant to Web services.

The usage scenarios document was nearly complete at the time of this writing. It will most likely be approved for release in early February 2004. The document describes a series of Security Challenges, which are essentially requirements to be achieved, a set of Threats that might prevent the challenges from being met, and the Security Mechanisms available at both the SOAP layer (WSS) and the transport layer (SSL/TLS).

Finally, the document lists three scenarios, originally developed by the WS-I Sample Applications Group: one-way, synchronous request/response, and basic callback. These are extended to include zero or more intermediaries in each case. Each is associated with a set of Security Challenges, which in turn are cross-referenced to the Threats and Mechanisms. The result is a concise summary of the problem space and the solutions most likely to be used.

The other deliverable of the BSP is a profile of the WSS specifications as well as SSL/TLS. This work is not as far along, but so far it is following the model of the WS-I Basic Profile - of which it is an extension - in defining constraints, reducing or eliminating options available in the profiled specifications. The first version of this document, covering the initial three WSS specifications is due nine months after they were first voted as OASIS Committee Drafts - June 2004.

In summary, considerable progress has been made in developing Web Services Security mechanisms, but we still have some way to go before the work is complete. On the positive side:

  • A number of products will provide interoperability and effective security in simple, common situations in 2004.
  • The WS-I BSP will provide useful guidance in applying them.
  • Users will see benefits not available in SSL/TLS.
On the negative side:
  • Complex scenarios will likely have security holes initially.
  • Parts of Web services, such as intermediary behavior, are not yet well enough understood to secure.
  • Advanced features, such as policy discovery, will not be standardized for some time.

More Stories By Hal Lockhart

Hal Lockhart works for BEA Systems in the Office of the CTO, representing BEA on committees such as Web Services Security, SAML, and XACML (of which he is the cochair), relating to security and management standards.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.