Web services are the hottest topic in the software industry now-a-days. Many corporations have started tasting the essence of Web services and experimenting in the Intranet level before exposing them to the Web. Several questions might arise in the mind of every software people; for example, what are Web services, are they secure enough, and how do they benefit software vendors and customers?
Web Services Defined
Web services are loosely coupled software components, which are exposed by companies over the Internet to their employees, business partners, and so forth. A Web service could be a small business component designed to accomplish a particular task, or a whole business application. These Web services can be generally exposed by companies simply through a Web site portal.
Here is a simple example for a Web service. A customer might want to know the price of a particular model of a computer. The Web service running at the service provider’s site receives the request from the customer, processes the request, and sends the response (the price of that model) back to the customer. The Web service could be as complex as a workflow containing multi-step transactions as well.
Web services are playing an important role in Service Oriented Architecture. They are invoked over the Internet by an industry-standard protocol, namely SOAP (Simple Object Access Protocol), and are defined using WSDL (Web Services Description Language). By publishing businesses as Web services, will open up new and great opportunities with business partners, generate new stream of revenues, cut development costs, and reduce maintenance efforts.
Need for Securing Web Services
While the popularity of Web services continues to grow because it creates unparalled opportunities to increase the revenues and lower integration costs, it also poses a major challenge in terms of security. The Web services are not invoked by typical HTTP Web browsers, but by standalone client applications. Because the session information is unavailable in the server, it may not be possible for the Web service to identify the user, who sends the request. This would cause a loophole that some unauthorized person might use the Web service when they are not supposed to do so. So, it becomes mandatory now that the user must be authenticated at first and his/her authorization for accessing the service should be verified.
A SSL (Secure Socket Layer)-based security algorithm may be used for securing the communication between server and client application. But, SSL operates at the transport-layer level and secures the exchange of XML messages used in Web services. To offer a fine-grained access to services, the XML messages used in Web services must include security information that goes beyond the transport layer.
Transport-layer security enables only the point-to-point sessions. When a Web service contains a multi-step transaction, the XML messages may be routed through many Web servers to complete the transaction. Each intermediary involved in the transaction might be a Web service and hosted by many service providers. The intermediaries might get the security information from the incoming service request and need to provide additional security information that is needed by next intermediary.
Transport layer security falls short of such requirements. Netegrity provides a new solution, called TransactionMinder, supporting content level, XML-based security.
TransactionMinder—A Brief Overview
TransactionMinder is a security product from Netegrity, which is famous for its SiteMinder product. While SiteMinder provides controlled access to the Web-based document, TransactionMinder secures the Web services.
TransactionMinder is a policy-based platform for securing the XML messages used in Webservices. It is designed to be independent of the transport protocol and messaging framework being used. It is built on SiteMinder’s infrastructure, using special XML agents in conjunction with SiteMinder Policy Server.
Important Components Involved
TransactionMinder solution has two important components, namely XML agent and a Policy server.
The TransactionMinder XML agent is a component built upon the existing SiteMinder Web agent. Whereas Web agent is used for identifying the user credentials and thereby offers controlled access to Web-based documents, the XML agent intercepts the incoming XML message sent to the protected Web service, and interacts with the policy server, which would be able to service the request using policy-based services. The developers could extend the functionality of XML agent and easily integrate it with other custom Web services environments.
The policy server is the centerpiece of TransactionMinder. The TransactionMinder uses the same policy server as SiteMinder has, with additional features designed to support TransactionMinder-specific functionalities. The policy server integrates with XML agent and other Netegrity products to provide a single platform for securing every aspect of a company’s e-business.
It hosts the set of shared services such as authentication, administration, and accounting services. Its extensible and scalable architecture allows services to be added and enhanced, as the security and management needs of Web service evolve.
The policy server integrates with the industry-standard LDAP server and relational databases for centralized management of user identity and entitlement information. It uses this information to perform authentication and authorization services.
- Centralized, policy-based services such as authentication, authorization, and accounting.
- Single platform to securely manage the Web services. Offers support for leading Web servers and application servers.
- Support for industry-standard, content-level authentication schemes such as XML document credentials collector, XML Digital signature, and SAML (Security Assertion Markup Language).
- Support for LDAP and relational database for storing user profile and policy information.
- Fine grained access control—authentication information can be placed at any layer of XML message: transport, envelope, or business payload.
- Provides single sign-on (SSO) using SAML assertions.
Described below is an example of the steps involved in securing services with TransactionMinder.
- The Web service consumer makes a request to a Web service protected by TransactionMinder.
- The XML agent intercepts an incoming XML message based on the content type (text/xml).
- The XML agent gathers user credentials from the SOAP message and authenticates the user based on the required authentication scheme.
- The XML agent checks the sender’s authorization for the payload’s request (for example, a purchase order).
- If the sender is authorized, the XML agent may optionally insert authorization information into the SOAP message.
- The authorized message is passed on to the backend business process application. The business application may optionally return a response to the Web service consumer with the status of payload (for example, purchase order has been accepted and is being processed).
TransactionMinder supports three kinds of authentication schemes to protect the Web services. They are:
XML document credential collector
The incoming XML message may contain the security information in its header or body itself. This kind of authentication would be a choice when two business partners have agreed to exchange an XML document between them. The policy server may be configured with a search query using XPath to collect the credentials information from the XML document sent by the customer. The collected credentials will be verified against the user store integrated with Policy server.
XML digital signature
In this technique, the XML message may be digitally signed and sent to the service provider. Now, the user directory should contain the user identification and public keys. This public key of the user would be used for verifying the data integrity.
In this technique, the incoming XML message may contain SAML (Security Assertion Markup Language) assertions containing credential information. These SAML assertions may be inserted into the header of the XML contents or HTTP headers. SAML may be used for maintaining SSO (Single Sign On).
In the preceding article, we have discussed the need for securing Web services and how TransactionMinder helps secure Web services. There are many such security products available on the market and TransactionMinder is one of the famous solutions. When a service provider has already developed the Web services and thinks about securing those Web services without much effort, TransactionMinder would be an ideal solution for them. The Web services can reside independent of TransactionMinder, but still TransactionMinder can secure those Web services.
About the Authors
Rajesh Devadas holds a Masters degree in Computer Applications from MK University, Madurai. He has been working as a Technical Lead for Hewlett-Packard, Bangalore with more than 10 years of domain experience in e-commerce, telecom, and mobile. He is currently involved in designing and developing mobile Web services infrastructure and solutions. He can be reached at Rajesh.Devadas@hp.com or firstname.lastname@example.org.
Ayyappan Gandhirajan has been working as a senior software engineer for Hewlett-Packard, Bangalore with more than five years of industry experience involving Web services and J2EE technologies. He is currently involved in Web services orchestration and developing access controllers for Web services. He can be reached at email@example.com or G_Ayyapparaj@yahoo.com.