Federated Web Services with Mobile Devices

Similar documents
The Business of Identity: Business Drivers and Use Cases of Identity Web Services

J2EE APIs and Emerging Web Services Standards

JSR 248: Taking Java Platform, Micro Edition (Java ME) to the Next Level

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Programming Web Services in Java

Interoperable Business Web Services Using Project Metro and.net 3.5

Services Specifications: Realizing New Business Capabilities

Oracle Developer Day

Takes 2 to Tango: Java Web Services and.net Interoperability

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Chapter 17 Web Services Additional Topics

JXTA TM Technology for XML Messaging

National Identity Exchange Federation. Terminology Reference. Version 1.0

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Minne menet, Mobiili-Java?

Oracle Fusion Middleware

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

SAML-Based SSO Solution

Securing WebLogic Web Services for Oracle WebLogic Server 12c (12.2.1)

From UseCases to Specifications

Composable Web Services Using Interoperable Technologies From Sun s Project Tango

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Lesson 13 Securing Web Services (WS-Security, SAML)

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Identity Provider for SAP Single Sign-On and SAP Identity Management

Developing Interoperable Web Services for the Enterprise

Warm Up to Identity Protocol Soup

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Authentication. Katarina

Composable Web Services Using Interoperable Technologies from Sun's "Project Tango"

Security Assertions Markup Language (SAML)

C exam. IBM C IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile. Version: 1.

Gestión dinámica de configuraciones en dispositivos móviles en un entorno Liberty/OMA-DM

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

Module 12 Web Service Model

The Identity Web An Overview of XNS and the OASIS XRI TC

Reliable and Transacted Web Services Between Sun s Project Tango and Microsoft Indigo

Berner Fachhochschule. Technik und Informatik. Web Services. An Introduction. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel

A RESTful Approach to Identity-based Web Services

SAML-Based SSO Solution

Olli Jussila Adaptive R&D TeliaSonera

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Ellipse Web Services Overview

ICENI: An Open Grid Service Architecture Implemented with Jini Nathalie Furmento, William Lee, Anthony Mayer, Steven Newhouse, and John Darlington

SERVICE-ORIENTED ARCHITECTURE in MOBILE NETWORK. Long Nguyen Hoang Marek Konieczny

CA SiteMinder Federation

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

1Z Java EE 6 Web Services Developer Certified Expert Exam Summary Syllabus Questions

Identity-Enabled Web Services

IDENTITY MANAGEMENT AND FEDERATION BC.Net Conference April 25, 2006

Access Control Service Oriented Architecture

OMA Web Services Network Identity Architecture

April Understanding Federated Single Sign-On (SSO) Process

Technical Information On Bluewin Identity Provider

(9A05803) WEB SERVICES (ELECTIVE - III)

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

Dissecting NIST Digital Identity Guidelines

How to Overcome Web Services Security Obstacles

CA CloudMinder. SSO Partnership Federation Guide 1.51

Basic Profile 1.0. Promoting Web Services Interoperability Across Platforms, Applications and Programming Languages

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

OIO WS-Trust Profile. Version 1.0. IT- & Telestyrelsen October 2009

REST/SOAP Harmonization proposal for Identity-based Web-Services

WS-* Standards. Szolgáltatásorientált rendszerintegráció Service-Oriented System Integration. Dr. Balázs Simon BME, IIT

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

Novell Access Manager 3.1

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Web Services, ebxml and XML Security

Java Web Service Essentials (TT7300) Day(s): 3. Course Code: GK4232. Overview

OIO Bootstrap Token Profile

Network Security Essentials

Federated Identity Manager Business Gateway Version Configuration Guide GC

Identity and capability management and federation

BEAAquaLogic. Service Bus. Interoperability With EJB Transport

Services Interoperability With Java Technology and.net: Technologies for Web 2.0

IBM C IBM WebSphere App Server Dev Tools V8.5, with Liberty.

Canadian Access Federation: Trust Assertion Document (TAD)

Oracle. Exam Questions 1z Java Enterprise Edition 5 Web Services Developer Certified Professional Upgrade Exam. Version:Demo

Making Java /.Net Technology- Based Web Services Interoperability Real

Artix Version Release Notes: Java

CA SiteMinder Web Services Security

Oracle Service Bus. Interoperability with EJB Transport 10g Release 3 (10.3) October 2008

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

SUN. Java Platform Enterprise Edition 6 Web Services Developer Certified Professional

Oracle Fusion Middleware

Managing Trust in e-health with Federated Identity Management

XML Key Information System for Secure e-trading

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

UNITE 2007 Technology Conference

Transcription:

Federated Web Services with Mobile Devices Rajeev Angal Architect Sun Microsystems Pat Patterson Architect Sun Microsystems Session TS-6673 Copyright 2006, Sun Microsystems, Inc., All rights reserved. 2006 JavaOne SM Conference Session TS-6673

Goal of This Talk Learn how to secure Federated Web Services using the Java Platform, Micro Edition (Java ME) 2006 JavaOne SM Conference Session TS-6673 2

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 3

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 4

The Problem Business problem: Need to leverage mobile commerce opportunities Careers and operators looking to differentiate themselves Need to be balanced with legal and regulations Technical problem: Web Services + rich apps is a logical choice: msoa Need for end-to-end security and privacy Need the solution to scale Solution: Identity enabling mobile web services through security and privacy-focused specifications from Liberty Alliance Project and WS-* 2006 JavaOne SM Conference Session TS-6673 5

Defining Identity Web Service Consumer Identity Web Service Provider Notes: An identity might be a person, device, service, role or group We often need more than two identities e.g., invoker, sender and intermediaries Profile and credentials User service discovery Preferences (Privacy and personalization) Authentication, authorization Audit Trust 2006 JavaOne SM Conference Session TS-6673 6

Defining Federation Federation: the agreements, standards, and technologies that make identity and entitlements portable across autonomous domains; for example, an enterprise and third parties providing services to its employees We federate identities when we create associations between identities in different domains; a federation must be in place before we can federate identities 2006 JavaOne SM Conference Session TS-6673 7

Key Security Questions How does a Web service consumer find the Web service provider? How does Web service consumer obtain the credentials it needs to invoke services at the web service provider? How is the trust relationship established? How is invoker identity passed? Privacy, confidentiality, non-repudiation at each hop? How are federated identities resolved? How to avoid vendor lock-in? 2006 JavaOne SM Conference Session TS-6673 8

Solution 1: WS-* Specifications OASIS Security Assertion Markup Language (SAML) 2.0 OASIS WS-Security, WS-I BSP W3C WS-Addressing (released 5/9/06!) WS-Policy (submitted to W3C) 'WS-SX' (submitted to OASIS) WS-Trust WS-SecureConversation WS-SecurityPolicy Composable framework 2006 JavaOne SM Conference Session TS-6673 9

Solution 2: Liberty Alliance Project Specifications Identity Federation Framework (now subsumed in OASIS SAML 2.0) Identity Web services framework 1.1 Built on existing industry standards: WS-Security, SAML, XML Signature, XML encryption etc. Built-in privacy Late binding via the discovery service Data Services Template to build web services Interoperable: Mandatory Conformance Program 2006 JavaOne SM Conference Session TS-6673 10

Liberty Architectural Modules Identity Federation Framework (ID-FF) Enables Identity federation and management via identity/account linkage, SSO, and session management Identity Service Interface Specifications (ID-SIS) Enables interoperable Identity-based web services through schema and service interface specifications Identity Web Services Framework (ID-WSF) Provides the framework for building interoperable identity-based Web services SAML HTTP WSS WSDL XML Enc WAP XML SOAP SSL/TLS XML Sig 2006 JavaOne SM Conference Session TS-6673 11

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 12

Identity-Enabled Web Services Mobile Device (Web Service Consumer) 2. Issue a security assertion 3. Consumer interacts with provider using the security assertion 1. Authenticate and/or Lookup resources/services associated with identity Trusted Authority Web Service Provider Update or register services with trusted authority Administrator Manage registered services and policies 2006 JavaOne SM Conference Session TS-6673 13

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 14

JSR 172: XML + Web Services Application Application Business Logic JSR 172 JAX-RPC Subset Stub JSR 172 JAXP Subset API JSR 172 JAX-RPC Subset API Service Provider Interface JSR 172 JAX-RPC Subset Runtime Mobile Information Device Profile, Personal Basic Profile CLDC/CDC Operating System 2006 JavaOne SM Conference Session TS-6673 15

JSR 172: Programming Model Generate a JSR 172 Java API for XML-based remote procedure calls (JAX-RPC) stub class from a WSDL XML document that describes a remote Web service In your code, create an instance of the generated stub After instantiation, invoke methods of the generated stub; these methods correspond to the service endpoint s wsdl:operation in the WSDL XML document 2006 JavaOne SM Conference Session TS-6673 16

Code Sample // Instantiate the service stub. PubService_Stub service = new PubService_Stub(); // Set up the stub. service._setproperty(stub.endpoint_address_property, serviceurl); service._setproperty(stub.session_maintain_property, new Boolean(true));... try { // Invoke the PubService method getarticlebyid() WirelessArticle article = service.getarticlebyid(articleid); } catch (RemoteException e) { // Handle RMI exception. } 2006 JavaOne SM Conference Session TS-6673 17

JSR 177: Security and Trust Services Smart card access and cryptographic capabilities to applications running on small devices; the SATSA specification defines four distinct APIs: SATSA-APDU: communicate with smart card applications using a low-level protocol SATSA-JCRMI: communicate with smart card applications using a remote object protocol SATSA-PKI: use a smart card to digitally sign data and manage user certificates SATSA-CRYPTO cryptographic API for message digests, digital signatures, and ciphers 2006 JavaOne SM Conference Session TS-6673 18

Java ME Technology Limitations XML signing and encryption spec missing; some third-party vendors provide these APIs No JAX-RPC handler support JSR 279 is still under development 2006 JavaOne SM Conference Session TS-6673 19

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 20

Web Services Security Framework (JSR 279) COT 1 IDP (AuthN COT 2 Application Application Application Application Application Application Discovery/TA AuthN XML Invocation Disco Manage SOAP XMLSig XMLEnc SATSA J2ME Core Sec Mechs Network WSP 4 WSP 3 WSP 2 WSP 1 2006 JavaOne SM Conference Session TS-6673 21

Leveraging What Exists Today Provision user certificate on device [JSR177 ] Use PKI/Cert Authentication for authenticating user to IDP/ID-WSF AuthN service [JSR 172,ID-WSF] Obtain bootstrap containing BEARER SAML token [JSR 172, ID-WSF Authn] Query Disco web service for WSP to be accessed [JSR 172, ID-WSF Disco] Obtain BEARER SAML token [JSR 172, ID-WSF] Invoke WSP [JSR 172, ID-WSF SIS] Obtain and consume response [JSR 172] 2006 JavaOne SM Conference Session TS-6673 22

Possible Enhancements ClientSSL for all WSC WSP calls [JSR 177 ] Cryptographically tying the Bearer token with SOAP body with SATSA Crypto: proprietary, both ends have to understand signed/encrypted data UserID/Passwd authentication + userid/passwd basic authentication during SOAP invocations could be used in place of PKI 2006 JavaOne SM Conference Session TS-6673 23

DEMO Buying Ringtones and View Bill 2006 JavaOne SM Conference Session TS-6673 24

Demo Summary Prerequisites: COT setup: www.mobileoperator.com: IDP+AuthN+Disco+Billing WSP www.javarings.com: Ringtones WSP User s mobile provisioned with certificates from a CA trusted by mobileoperator.com Sample MIDP app on phone demonstrating: Cert based user authn with mobileoperator.com A ringtone purchase from www.javarings.com Billing query to see current bill Key points to note: AuthN ONCE: Web services SSO Secure access + No personal/identifiable info to WSP 2006 JavaOne SM Conference Session TS-6673 25

What s Happening Application Mobile Device Framework Identity Provider mobileoperator Discovery Service javarings Service Provider 1. Authenticate (Cert) 1a. Assertion (includes Trusted Authority location) 2. Request ringtone 3. Request Ringtones WSP location 4. Provide Ringtones WSP location + tokens 5. Request Ringtone + token 6. Optional approval 8. Provide ringtone 7. Provide Ringtone + token 2006 JavaOne SM Conference Session TS-6673 26

Other Interesting Use Cases Multi COT access from the same device Infocard-like user interface to select IDP s/ credentials to supply based on user choice PAOS usage obtaining profile/preference attributes stored on the phone 2006 JavaOne SM Conference Session TS-6673 27

Agenda Mobile Web Services: The Problem Identity-Enabling Web Services Java ME Technology JSRs: 172, 177, 279 Putting It Together Demo Next Steps 2006 JavaOne SM Conference Session TS-6673 28

Java ME Technology Enhancements Needed! Good news: mobile devices are becoming more powerful, can accommodate larger footprint XML Signing and Encryption needs to be addressed JAX-RPC SOAP header manipulation apis need to be provided to ease development Common Liberty + WS-*based service invocation framework needs to be in place (JSR 279) Isolation/sandboxing between disparate apps on the same device needs to be looked into Infocard equivalent for Java ME technology compliant devices 2006 JavaOne SM Conference Session TS-6673 29

Summary Importance of security and privacy in mcommerce applications Liberty Alliance Project and Java ME technology specs together addressing the problem today Call for future enhancements needed 2006 JavaOne SM Conference Session TS-6673 30

For More Information Identity @ Sun http://www.sun.com/identity Liberty Alliance Project http://www.projectliberty.org/ Project Tango http://wsit.dev.java.net/ JSRs http://www.jcp.org/en/jsr/detail?id=172 http://www.jcp.org/en/jsr/detail?id=177 http://www.jcp.org/en/jsr/detail?id=279 Superpatterns http://blogs.sun.com/superpat 2006 JavaOne SM Conference Session TS-6673 31

Q&A 2006 JavaOne SM Conference Session TS-6673 32

Federated Web Services with Mobile Devices Rajeev Angal Architect Sun Microsystems Pat Patterson Architect Sun Microsystems Session TS-6673 2006 JavaOne SM Conference Session TS-6673

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback