Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic

Weblogic: Article

Web Services Security Progress Report

Moving forward - and on schedule

For the past several years there has been widespread agreement that the adoption of Web services for production applications will be limited, particularly for B2B transactions, until standardized security mechanisms, designed specifically for Web services, become available. While some applications can be adequately protected using the familiar SSL and TLS security protocols, their limitations make them unsatisfactory for many others.

For these reasons work began more than 18 months ago to standardize new security mechanisms specifically designed for the Web services environment. This article summarizes the work so far, describes what user organizations can expect in the near term, and discusses some of the missing pieces that are yet to come.

In September of 2002 the Web Services Security Technical Committee (WSS TC) was formed at OASIS to standardize mechanisms for protecting SOAP messages. The starting point for this work was a document previously published by IBM, Microsoft, RSA, and VeriSign entitled "WS-Security." The primary features of this specification are methods to digitally sign and encrypt portions of SOAP messages and methods to include in the messages the keys and identities associated with these signature and encryption operations.

The Web Services Security (WSS) specifications mostly define how existing XML security mechanisms should be applied in a SOAP message environment. For example, they reuse XML Digital Signature and XML Encryption (both W3C Recommendations). One of the key concepts in WSS is a token. A token is a data structure that associates an identity with a password or the key used to digitally sign or encrypt data. WSS defines a specific type of token, called a Username token, which is used with password authentication. The Username token includes the user's name and optionally a password (in the clear or hashed) that can be authenticated by the receiver, as well as other features to prevent replay.

While WSS had to invent a Username token there are already standards for many other types of tokens. WSS defines a Binary token, which is just a wrapper for tokens that are not in XML format, such as X.509 Certificates and Kerberos Tickets. Tokens such as SAML Assertions and XrML Licenses, which are XML, are inserted as-is. The ability to support many different token types allows WSS to be used in a wide variety of environments.

WSS also defines a Security Token Reference that can be used in place of an actual token to refer to a token that appears elsewhere in the message or at some external location. There is also a Timestamp element that allows the sender to specify a date/time at which a message was created or should expire.

It is important to understand both the features and limitations of WSS. First, it deliberately does not define a secure protocol the way Kerberos and SSL/TLS do. It merely specifies a number of mechanisms that may be combined in various ways. The problem is that the security properties of any message exchange depend on every aspect of the messages. It is not uncommon for a small change to have a quite unexpected effect.

The flexibility of the specification also creates the possibility of lack of interoperability between different vendors' products. The initial testing has been largely successful, but some incompatibilities have been discovered and corrected. The WS-I Basic Security Profile (discussed later) will further strengthen interoperability by reducing some of the options and clarifying some of the processing rules.

WSS does not address the problem of the description of the security mechanisms and capabilities used by a particular Web service. There are no WSDL features defined. The intended solution to this issue is the use of Policy advertisement mechanisms. A draft set of WS-Policy specifications has been published by BEA Systems, IBM, Microsoft, and SAP; and includes security policy. These specifications are being worked on intensively and will be submitted to a standards organization later this year. However, at the moment information about required signatures and tokens, for example, must be exchanged by some unspecified method, such as a phone call.

Another limitation to WSS is that most of the more complex Web services scenarios are quite speculative today. Most authorities agree that the use of Intermediaries is an important and powerful feature of SOAP. However, there is little agreement on precisely how these Intermediaries will behave and what their security requirements will be. Until more complex scenarios have been constructed and their security properties analyzed, this will remain a murky area. This means there will be plenty of scope for both interoperability problems and security weaknesses.

The OASIS TC made numerous changes to the original specification, improving it overall. Some features were added and some were cut. Language was tightened and clarified. The most noticeable change was to split the specification into several documents. A core specification describes the various mechanisms and a series of Token Profiles describe each Token type. It was decided to focus on the core specification and the Username and X.509 Profiles as the first set of specifications to complete. In the summer of 2003, a dozen or so vendors participated in interoperability testing of software based on the then current specifications. In most cases this was prototype code built on existing products. The testing identified some areas that needed clarification as well as some common errors to be avoided.

In September 2003, the TC approved the three specifications as OASIS Committee Drafts. As specified by the OASIS Process, this was followed by a 30-day public review. The comments received from this review, including an extensive set from the W3C XML Protocol Working Group and the WS-I Basic Security Profile Working Group, led to further changes in the specifications. Finally in January 2004 the modified specifications were re-approved as Committee Drafts and submitted to the OASIS membership for approval as an OASIS Standard. This process has not been completed at the time this is being written, but normally takes about 60 days.

Work has begun to complete the SAML Token Profile, the XrML Token Profile, and the Kerberos Token Profile. These will probably be completed, in that order, during 2004. Several other specifications have been proposed, including a Minimal Profile, intended for use in devices like PDAs and cell phones; a Receipt Profile; and a Biometric Token profile. It is unclear whether any or all of these will be approved by the TC.

In March of 2003 WS-I chartered a Basic Security Profile (BSP) Working Group that was given two deliverables. The first was a set of usage scenarios. The reason for this was that it was observed that many existing Web services usage scenarios contained information that was irrelevant to security considerations and at the same time lacked critical details needed to select security mechanisms. The intention is to review this document widely both within and outside WS-I to get general agreement that the proper set of security requirements is being addressed. The usage scenarios will also serve the purpose of providing background to non-specialists on the security objectives and mechanisms relevant to Web services.

The usage scenarios document was nearly complete at the time of this writing. It will most likely be approved for release in early February 2004. The document describes a series of Security Challenges, which are essentially requirements to be achieved, a set of Threats that might prevent the challenges from being met, and the Security Mechanisms available at both the SOAP layer (WSS) and the transport layer (SSL/TLS).

Finally, the document lists three scenarios, originally developed by the WS-I Sample Applications Group: one-way, synchronous request/response, and basic callback. These are extended to include zero or more intermediaries in each case. Each is associated with a set of Security Challenges, which in turn are cross-referenced to the Threats and Mechanisms. The result is a concise summary of the problem space and the solutions most likely to be used.

The other deliverable of the BSP is a profile of the WSS specifications as well as SSL/TLS. This work is not as far along, but so far it is following the model of the WS-I Basic Profile - of which it is an extension - in defining constraints, reducing or eliminating options available in the profiled specifications. The first version of this document, covering the initial three WSS specifications is due nine months after they were first voted as OASIS Committee Drafts - June 2004.

In summary, considerable progress has been made in developing Web Services Security mechanisms, but we still have some way to go before the work is complete. On the positive side:

  • A number of products will provide interoperability and effective security in simple, common situations in 2004.
  • The WS-I BSP will provide useful guidance in applying them.
  • Users will see benefits not available in SSL/TLS.
On the negative side:
  • Complex scenarios will likely have security holes initially.
  • Parts of Web services, such as intermediary behavior, are not yet well enough understood to secure.
  • Advanced features, such as policy discovery, will not be standardized for some time.

More Stories By Hal Lockhart

Hal Lockhart works for BEA Systems in the Office of the CTO, representing BEA on committees such as Web Services Security, SAML, and XACML (of which he is the cochair), relating to security and management standards.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
Organizations do not need a Big Data strategy; they need a business strategy that incorporates Big Data. Most organizations lack a road map for using Big Data to optimize key business processes, deliver a differentiated customer experience, or uncover new business opportunities. They do not understand what’s possible with respect to integrating Big Data into the business model.
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, will discuss some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he’ll go over some of the best practices for structured team migrat...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, will discuss how from store operations...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they bu...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...