Related Topics: XML Magazine

XML: Article

Web Services Security

Web Services Security

In recent years, few technological concepts have generated as much excitement as XML and Web services. After the initial excitement and onslaught of developers creating "Hello World" applications and (unfortunately) posting them to a multitude of UDDI directories, there was a general eagerness to apply this skill to real business problems (and we're not talking about online Celsius-to-Fahrenheit calculators).

What better way to finally solve a piece of the remote messaging puzzle that had eluded us than to use this seemingly straightforward, platform-independent concept called Web services? While DCOM and CORBA resolved some of the logistics surrounding distributed applications, the actual solutions could be painfully difficult to implement in the real world, or unsuitable to a multiplatform environment.

One of the first Web services infrastructures we designed for an enterprise client addressed many of the remote messaging challenges of the "old world" and, being particularly proud of how we had overcome some significant technical challenges (that would have been next to impossible using DCOM), we presented it to our security specialist. His first reaction was, "Is SSL over HTTP our only option?"

His point: SSL over HTTP carries additional overhead and as a transport-level solution only operates at that layer.

How then do we address message authenticity, encryption, and integrity in a standardized way? These are typical requirements for message-based applications, and if you haven't already experienced a formal requirements document that references each of these (in excruciating detail), then you will - and sooner rather than later.

Many solutions to these requirements involve using Web server-administered authentication (such as HTTP Basic Authentication) and encryption (such as SSL). However, some security requirements, such as nonrepudiation, can be managed only on an implementation-by-implementation basis using application-specific algorithms.

But does this satisfy typical enterprise standards, requirements, or more important, the guy down the hall dubbed "security officer"? Probably not. Then what can we do to appease the concerns of the security conscious?

WS-Security, Etc.
WS-Security was the first coordinated attempt to standardize Web services security by discussing the encryption and signing of SOAP messages. A collaboration between Microsoft, IBM, and VeriSign, it has since been supplemented with additional specifications, including WS-SecurityPolicy, WS-SecureConversation, and WS-Trust. In this article, we will explore only WS-Security in its most basic form and what it means to an application or solution architecture based on .NET.

At its core, WS-Security addresses two important issues within the Web services space: message integrity and message confidentiality. Message integrity leverages W3C's XML Signature specification, while message confidentiality is implemented through use of XML Encryption. Both use the concept of security tokens to implement these concepts.

According to RFC 3275 (, XML Signature is designed to essentially offer a framework to sign a whole or any part of XML data. In more formal terms, XML Signature is "a method of associating a key with referenced data." The benefit here is that we are able to not only sign an entire transaction (as we might do using SSL over HTTP), but we have the option of signing only specific elements of the message. For instance, we can sign all identifying aspects of a document (a user name, a credit card number, a social security number, etc.) without having to sign the document's entire payload, which eliminates a vast amount of overhead. Further, we can sign particularly sensitive elements of the document with one key and sign the document (perhaps using SSL) as a whole with a more general key to meet broader security requirements. Now the security guy down the hall is happy.

Just as XML Signature by definition addresses authentication, authorization, and message integrity, the XML Encryption specification addresses message confidentiality. XML Encryption accommodates the encryption of arbitrary data represented in XML form, including an XML document, an XML element, or the content of an XML element. One appealing aspect of XML Encryption is that we can encrypt any one or more elements of our data in a normalized and structured manner while maintaining the unencrypted integrity of the remainder of the document, for instance, the example used in the W3C recommendation (see Listing 1).

We see here that Mr. Smith's name may not be sensitive, but certainly his credit card number is. In this case the entire CreditCard element has been encrypted (including the element name) to ensure privacy. An alternative to this may have been to encode only Mr. Smith's credit card value itself, at the risk of exposing the fact that it is the CreditCard element being encrypted (see Listing 2).

The issue here is that Mr. Smith may not be comfortable knowing his credit limit is effectively exposed to anyone monitoring transport- or application-layer transactions on this host, as only the content of the element is encrypted, whereas the element attributes are not.

Notwithstanding this example, we can see how versatile this concept is and how specific application requirements could call for specific encryption schemas.

Now that we have a powerful set of standards and specifications at our fingertips, we merely have to commit the related RFCs, specifications, and recommendations to memory and start coding, right?

WSE 2.0
Luckily, we don't have to break out a library of RFC documents, specifications, and recommendations to start implementing our first secure Web services solution. Microsoft has abstracted these specifications and wrapped many of the related concepts and features in the form of the Web Services Enhancements (WSE) complement to the .NET Framework (specifically, version 2.0 of the package) and an eventual add-on for Visual Studio .NET.

This means that with the help of a few select namespaces within our .NET source code we have the ability to implement all of the specifications supported within the WSE. Combined with Intellisense and MSDN documentation, this allows us to have a solution compiled and deployed in record time.

While it should be noted that as of this writing version 2.0 of the WSE was still at the technology preview stage, some of the features of particular note include the concept of policies and what Microsoft has called "message-based programming." These two areas of functionality are likely to be the most significant insofar as distributed transaction processing and extensibility/maintainability are concerned.

Addressing the most recent version (1.1) of the WS-Policy submission authored by Microsoft and IBM (supplemented by SAP and BEA representation), the WSE toolkit abstracts the ability to communicate the requirements, capabilities, and preferences of any Web service.

An interesting concept is what is called a "policy assertion." This is the most atomic element of a policy, and typically embodies the specifics of a requirement, capability, or preference. An example of a policy expression is shown in Listing 3. This policy contains five assertions, including a text encoding assertion, a specification version, and an XOR (exclusive-or) assertion for selecting exactly one of a set of three language assertions.

Message-Based Programming.
The WSE package also provided tools to assist with the development of asynchronous communications in which concepts such as long-lived transactions, batch processing, and event-driven application models will find new levels of support. This is great news for those tasked with integrating business partners, or even disparate applications that cross not only network boundaries but also environments and platforms.

The Challenges
The authors of these specifications and standards still strive for wider acceptance, and though they are supported by some of the titans of the software world, they are under continuous improvement, which for the typical software engineer means constant software updates to stay in step with these advancements. Microsoft's WSE toolkit is capable of addressing these needs at design time, but this does not address the need to distribute configurations modified in real time to support dynamic security requirements.

To mitigate the impact of these changes to the specifications, the authors have tried to build an extensive model, allowing the designers of specific implementations some degree of flexibility. However, we will be seeing continuous modification and improvement even of Microsoft's WSE package.

It is also important to note that application-specific implementation of security is only half the solution. Typically, a security context is required for an overall solution, particularly if it involves more than one organization or application. Microsoft's WSE toolkit does not explicitly address the requirement to deploy solutions (particularly if platform independence is required) to trading partners or remote distributions.

A perfect world is one where everyone develops integration points on common platforms, using common interfaces over common protocols with the same security context. This obviously is the ideal, and the simple fact is that none of this is the case.

Wouldn't It Be Nice If...
Wouldn't it be nice if software engineers were able to actually create algorithms that reflected business logic and business processes?

"Of course," you say, "that is part of the job description."

Unfortunately, software engineers are typically asked to focus a significant amount of their overall effort on implementation of either security standards/requirements, or transport-level support. This is neither effective nor gratifying for your typical software engineer.

Granted, much of this has been abstracted through the use of development frameworks and packages such as the .NET Framework, which address specific functionality. This still leaves security management squarely in the hands of the engineer. We're going to go out on a limb here, but we believe we're doing the general developer community a favor: security implementation should be the responsibility of security officers or administrators.

With the constant improvements and changes in development frameworks such as .NET, software engineers are busy enough staying on top of changing requirements for business logic without also subscribing to the fickle ebb and flow of the standards bodies and the alphabet soup of acronyms that represent them: WS-I, W3C, OASIS, IETF, etc.

Implementation of security standards is much safer in the hands of specialists. Speaking as software engineers ourselves - they can have it!

Options exist today that support this concept in response to a growing need in a world of disparate, multiplatform, and remote services. Notably, the notion of a network Web services appliance is an ideal vehicle to implement, manage, coordinate, and provision Web services.

Consider a control panel for the administration and publication of Web services that manages access to these services and wraps transactions with the specified security model at runtime. Add to this the ability for such an appliance to abstract any version of a public specification for security, routing, and transaction handling by simply downloading a service pack or module. Additionally, allow this appliance to communicate with other trusted appliances, sharing policies within a "trust federation" automatically, requiring no user interaction. This is an example of Web services solutions available from such innovators as Layer 7 Technologies with their SecureSpan Gateway product that implements security and policy management, and others such as Reactivity that focus more exclusively on security.

By the time you read this article we will be happily developing business logic... right?

More Stories By Toufic Boubez

Toufic Boubez is the co-founder and CTO of Layer 7 Technologies. Prior to co-founding Layer 7 Technologies, he was the chief Web services architect for IBM's Software Group and drove their early XML and Web services strategies. Toufic co-authored the original UDDI API specification. He’s the co-editor of the W3C WS-Policy specification, and is a co-author of the WS-Trust, WS-SecureConversation, and WS-Federation specifications. Toufic is a sought-after presenter and has chaired XML and Web services conferences. In 2002, InfoWorld named Toufic to its “Ones to Watch” list. An author of many publications, one of his most recent books is "Building Web Services with Java: Making Sense of XML, SOAP, WSDL, and UDDI."

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.