Securing Web Services Using TransactionMinder
The policy server is the centerpiece of TransactionMinder. The TransactionMinder uses the same policy server as SiteMinder has, with additional features designed to support TransactionMinder-specific functionalities. The policy server integrates with XML agent and other Netegrity products to provide a single platform for securing every aspect of a company's e-business.
It hosts the set of shared services such as authentication, administration, and accounting services. Its extensible and scalable architecture allows services to be added and enhanced, as the security and management needs of Web service evolve.
- Centralized, policy-based services such as authentication, authorization, and accounting.
- Single platform to securely manage the Web services. Offers support for leading Web servers and application servers.
- Support for industry-standard, content-level authentication schemes such as XML document credentials collector, XML Digital signature, and SAML (Security Assertion Markup Language).
- Support for LDAP and relational database for storing user profile and policy information.
- Fine grained access control—authentication information can be placed at any layer of XML message: transport, envelope, or business payload.
- Provides single sign-on (SSO) using SAML assertions.
Described below is an example of the steps involved in securing services with TransactionMinder.
- The Web service consumer makes a request to a Web service protected by TransactionMinder.
- The XML agent intercepts an incoming XML message based on the content type (text/xml).
- The XML agent gathers user credentials from the SOAP message and authenticates the user based on the required authentication scheme.
- The XML agent checks the sender's authorization for the payload's request (for example, a purchase order).
- If the sender is authorized, the XML agent may optionally insert authorization information into the SOAP message.
- The authorized message is passed on to the backend business process application. The business application may optionally return a response to the Web service consumer with the status of payload (for example, purchase order has been accepted and is being processed).
TransactionMinder supports three kinds of authentication schemes to protect the Web services. They are:
XML document credential collector
The incoming XML message may contain the security information in its header or body itself. This kind of authentication would be a choice when two business partners have agreed to exchange an XML document between them. The policy server may be configured with a search query using XPath to collect the credentials information from the XML document sent by the customer. The collected credentials will be verified against the user store integrated with Policy server.
XML digital signature
In this technique, the XML message may be digitally signed and sent to the service provider. Now, the user directory should contain the user identification and public keys. This public key of the user would be used for verifying the data integrity.
In this technique, the incoming XML message may contain SAML (Security Assertion Markup Language) assertions containing credential information. These SAML assertions may be inserted into the header of the XML contents or HTTP headers. SAML may be used for maintaining SSO (Single Sign On).
In the preceding article, we have discussed the need for securing Web services and how TransactionMinder helps secure Web services. There are many such security products available on the market and TransactionMinder is one of the famous solutions. When a service provider has already developed the Web services and thinks about securing those Web services without much effort, TransactionMinder would be an ideal solution for them. The Web services can reside independent of TransactionMinder, but still TransactionMinder can secure those Web services.
About the Authors
Rajesh Devadas holds a Masters degree in Computer Applications from MK University, Madurai. He has been working as a Technical Lead for Hewlett-Packard, Bangalore with more than 10 years of domain experience in e-commerce, telecom, and mobile. He is currently involved in designing and developing mobile Web services infrastructure and solutions. He can be reached at Rajesh.Devadas@hp.com or firstname.lastname@example.org.
Ayyappan Gandhirajan has been working as a senior software engineer for Hewlett-Packard, Bangalore with more than five years of industry experience involving Web services and J2EE technologies. He is currently involved in Web services orchestration and developing access controllers for Web services. He can be reached at email@example.com or G_Ayyapparaj@yahoo.com.
Page 2 of 2