Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic

Weblogic: Article

Web Services Security Progress Report

Moving forward - and on schedule

For the past several years there has been widespread agreement that the adoption of Web services for production applications will be limited, particularly for B2B transactions, until standardized security mechanisms, designed specifically for Web services, become available. While some applications can be adequately protected using the familiar SSL and TLS security protocols, their limitations make them unsatisfactory for many others.

For these reasons work began more than 18 months ago to standardize new security mechanisms specifically designed for the Web services environment. This article summarizes the work so far, describes what user organizations can expect in the near term, and discusses some of the missing pieces that are yet to come.

In September of 2002 the Web Services Security Technical Committee (WSS TC) was formed at OASIS to standardize mechanisms for protecting SOAP messages. The starting point for this work was a document previously published by IBM, Microsoft, RSA, and VeriSign entitled "WS-Security." The primary features of this specification are methods to digitally sign and encrypt portions of SOAP messages and methods to include in the messages the keys and identities associated with these signature and encryption operations.

The Web Services Security (WSS) specifications mostly define how existing XML security mechanisms should be applied in a SOAP message environment. For example, they reuse XML Digital Signature and XML Encryption (both W3C Recommendations). One of the key concepts in WSS is a token. A token is a data structure that associates an identity with a password or the key used to digitally sign or encrypt data. WSS defines a specific type of token, called a Username token, which is used with password authentication. The Username token includes the user's name and optionally a password (in the clear or hashed) that can be authenticated by the receiver, as well as other features to prevent replay.

While WSS had to invent a Username token there are already standards for many other types of tokens. WSS defines a Binary token, which is just a wrapper for tokens that are not in XML format, such as X.509 Certificates and Kerberos Tickets. Tokens such as SAML Assertions and XrML Licenses, which are XML, are inserted as-is. The ability to support many different token types allows WSS to be used in a wide variety of environments.

WSS also defines a Security Token Reference that can be used in place of an actual token to refer to a token that appears elsewhere in the message or at some external location. There is also a Timestamp element that allows the sender to specify a date/time at which a message was created or should expire.

It is important to understand both the features and limitations of WSS. First, it deliberately does not define a secure protocol the way Kerberos and SSL/TLS do. It merely specifies a number of mechanisms that may be combined in various ways. The problem is that the security properties of any message exchange depend on every aspect of the messages. It is not uncommon for a small change to have a quite unexpected effect.

The flexibility of the specification also creates the possibility of lack of interoperability between different vendors' products. The initial testing has been largely successful, but some incompatibilities have been discovered and corrected. The WS-I Basic Security Profile (discussed later) will further strengthen interoperability by reducing some of the options and clarifying some of the processing rules.

WSS does not address the problem of the description of the security mechanisms and capabilities used by a particular Web service. There are no WSDL features defined. The intended solution to this issue is the use of Policy advertisement mechanisms. A draft set of WS-Policy specifications has been published by BEA Systems, IBM, Microsoft, and SAP; and includes security policy. These specifications are being worked on intensively and will be submitted to a standards organization later this year. However, at the moment information about required signatures and tokens, for example, must be exchanged by some unspecified method, such as a phone call.

Another limitation to WSS is that most of the more complex Web services scenarios are quite speculative today. Most authorities agree that the use of Intermediaries is an important and powerful feature of SOAP. However, there is little agreement on precisely how these Intermediaries will behave and what their security requirements will be. Until more complex scenarios have been constructed and their security properties analyzed, this will remain a murky area. This means there will be plenty of scope for both interoperability problems and security weaknesses.

The OASIS TC made numerous changes to the original specification, improving it overall. Some features were added and some were cut. Language was tightened and clarified. The most noticeable change was to split the specification into several documents. A core specification describes the various mechanisms and a series of Token Profiles describe each Token type. It was decided to focus on the core specification and the Username and X.509 Profiles as the first set of specifications to complete. In the summer of 2003, a dozen or so vendors participated in interoperability testing of software based on the then current specifications. In most cases this was prototype code built on existing products. The testing identified some areas that needed clarification as well as some common errors to be avoided.

In September 2003, the TC approved the three specifications as OASIS Committee Drafts. As specified by the OASIS Process, this was followed by a 30-day public review. The comments received from this review, including an extensive set from the W3C XML Protocol Working Group and the WS-I Basic Security Profile Working Group, led to further changes in the specifications. Finally in January 2004 the modified specifications were re-approved as Committee Drafts and submitted to the OASIS membership for approval as an OASIS Standard. This process has not been completed at the time this is being written, but normally takes about 60 days.

Work has begun to complete the SAML Token Profile, the XrML Token Profile, and the Kerberos Token Profile. These will probably be completed, in that order, during 2004. Several other specifications have been proposed, including a Minimal Profile, intended for use in devices like PDAs and cell phones; a Receipt Profile; and a Biometric Token profile. It is unclear whether any or all of these will be approved by the TC.

In March of 2003 WS-I chartered a Basic Security Profile (BSP) Working Group that was given two deliverables. The first was a set of usage scenarios. The reason for this was that it was observed that many existing Web services usage scenarios contained information that was irrelevant to security considerations and at the same time lacked critical details needed to select security mechanisms. The intention is to review this document widely both within and outside WS-I to get general agreement that the proper set of security requirements is being addressed. The usage scenarios will also serve the purpose of providing background to non-specialists on the security objectives and mechanisms relevant to Web services.

The usage scenarios document was nearly complete at the time of this writing. It will most likely be approved for release in early February 2004. The document describes a series of Security Challenges, which are essentially requirements to be achieved, a set of Threats that might prevent the challenges from being met, and the Security Mechanisms available at both the SOAP layer (WSS) and the transport layer (SSL/TLS).

Finally, the document lists three scenarios, originally developed by the WS-I Sample Applications Group: one-way, synchronous request/response, and basic callback. These are extended to include zero or more intermediaries in each case. Each is associated with a set of Security Challenges, which in turn are cross-referenced to the Threats and Mechanisms. The result is a concise summary of the problem space and the solutions most likely to be used.

The other deliverable of the BSP is a profile of the WSS specifications as well as SSL/TLS. This work is not as far along, but so far it is following the model of the WS-I Basic Profile - of which it is an extension - in defining constraints, reducing or eliminating options available in the profiled specifications. The first version of this document, covering the initial three WSS specifications is due nine months after they were first voted as OASIS Committee Drafts - June 2004.

In summary, considerable progress has been made in developing Web Services Security mechanisms, but we still have some way to go before the work is complete. On the positive side:

  • A number of products will provide interoperability and effective security in simple, common situations in 2004.
  • The WS-I BSP will provide useful guidance in applying them.
  • Users will see benefits not available in SSL/TLS.
On the negative side:
  • Complex scenarios will likely have security holes initially.
  • Parts of Web services, such as intermediary behavior, are not yet well enough understood to secure.
  • Advanced features, such as policy discovery, will not be standardized for some time.

More Stories By Hal Lockhart

Hal Lockhart works for BEA Systems in the Office of the CTO, representing BEA on committees such as Web Services Security, SAML, and XACML (of which he is the cochair), relating to security and management standards.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
I think DevOps is now a rambunctious teenager - it's starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
Announcing Poland #DigitalTransformation Pavilion
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
CloudEXPO | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
The best way to leverage your CloudEXPO | DXWorldEXPO presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering CloudEXPO | DXWorldEXPO will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at CloudEXPO. Product announcements during our show provide your company with the most reach through our targeted audienc...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...