The Oracle Web Services Manager (OWSM) secures Web services by using policy enforcement points. It has several types of policy enforcement points: Gateways, Web service client agents (client-Agents), and Web service agent (server-Agents). These policies are created, managed, and located in the OWSM Policy Manager, which is a centralized policy store.
An example policy could be to require authentication and authorization to all services. This policy is centrally stored in the Policy Manager, and is consumed by all the agents and gateways deployed in the SOA.
Gateway Use Case
An Internet facing Web service can be protected by inserting a gateway in front of it. A gateway is similar to a web based proxy, it is a choke point where all Web service traffic is forced through. Gateways are SOAP/XML intermediaries that enforce Web services policies while intermediating Web services traffic between clients and services.
This would be done using a WS-Security Username Token for authentication. Based on the credentials, the gateway should be able to authenticate and authorize access to the service.
Alternatively, WS-Security SAML Token can be applied when business partners expose business processes to each other within a secure context.
Agent Use Case
A Web service agent is another useful policy enforcement point. Agents (client-Agents and server- Agents) are SOAP interceptors that enforce Web services policies from within the same Web application.
Agents execute in the same process as the application, while Gateways run on separate processes and possibly on different servers. Gateways can manage services from multiple applications while agents control services belonging to the single application.
Web service is not exposed over the internet, then using agents is a viable option to secure the business process. There can be other reasons for using agents. For example, if one wants end-to-end security where the data is secured from the beginning to the end of the process.
OASIS WSS UsernameToken Profile (User name and password)
OASIS WSS X509 Token Profile 1.1 (certificate based)
OASIS WSS SAML Token Profile 1.1 (Xml accertation token from accertation server for sso)
OASIS WSS SWA Profile 1.1
Reference:
Web Services Security, Part 1
Web Services Security, Part 2
Web Services Security, Part 3
Apache WSS4J 1.1.0 Released
Securing Web Services and the Java WSDP 1.5
Tutorial
Securing Web Services Using the SAML or UserNameToken Profiles
Clustering and Securing Web Applications: A Tutorial
Web Services Security (2003)
http://www.xml.com/pub/a/ws/2003/03/04/security.html
http://www.xml.com/pub/a/ws/2003/04/01/security.html
No comments:
Post a Comment