Web Services Security Training

Web services security training teaches developers both web service security implementation and security best practices. As part of this, developers learn how to assess the security threats to their services and counter these threats with appropriate security technologies. The class covers the full range of technologies you can use for securing web services, starting with security basics and TLS/SSL secure transports before moving on to the whole gamut of WS-* security standards. Optional modules cover specific technologies in greater depth.

Depending on the optional modules chosen for the training, the course takes 2-4 days. In-class assignments are normally supplied with both Apache Ant (or Maven) build files and Eclipse project files, and Eclipse is used for coding demonstrations. Apache Tomcat is normally used for service deployment. SOAP security assignments are done on the powerful and versatile Apache CXF web services stack, using both JAX-WS standard techniques and CXF-specific extensions.

Optimum class size is 6-12 developers, though somewhat larger numbers can be accommodated with pair programming.

Course Objectives

  • Understand the principles of modern encryption technologies
  • Learn how to create and work with keys and certificates
  • Understand how TLS/SSL secure transports work, and how to configure and use them
  • Learn how WS-Security works, and how to configure it with WS-SecurityPolicy
  • Learn how to use WS-Trust with SAML identity management, and WS-SecureConversation
  • Apply all forms of security through in-class assignments using JAX-WS and Apache CXF
  • Understand the range of security threats and the best practices for countering them

Attainment of course objectives is measured by performance on in-class assignments and snap quizes for each module. Certificates of completion are available for attendees who demonstrate their grasp of the material and ability to apply it to practical problems.

Course Prerequisites

  • Intermediate Java programming experience
  • Basic knowledge of web services (can be covered in class if appropriate)

Course Outline

Part I - Basic principles

  1. What constitutes a security threat?
  2. Symmetric and asymmetric encryption
  3. Signing and certificates
    1. Message digests
    2. Signing digests
    3. Certificates and chains of trust
  4. Working with keystores/truststores

Assignments:

  1. Symmetric encryption using a secret key
  2. Generating asymmetric encryption key pairs and self-signed certificates
  3. Asymmetric encryption using private key and certificate

Part II - Secure transports

  1. How TLS/SSL transport security works
  2. Configuring and using basic TLS
  3. TLS with client certificates
  4. TLS strengths and weaknesses

Assignments:

  1. Enabling TLS for web browser client
  2. Using TLS for web services client
  3. Implementing dual-certificate TLS

Part III - XML encryption and signing (optional)

  1. XML encryption standard
  2. XML signature standard
    1. The role of canonicalization
    2. References and signatures
  3. Using XML encryption and signature directly

Assignments:

  1. Encrypting XML content
  2. Signing and verifying XML content

Part IV - Introduction to WS-Security

  1. How WS-Security builds on XML encryption and signature
  2. Key and certificate handling in WS-Security
  3. Encryption algorithms
  4. WS-Security token profiles
  5. Using WS-Security directly

Assignments:

  1. Encrypting web service messages
  2. Signing web service messages

Part V - Introduction to WS-Policy and WS-SecurityPolicy

  1. Basic WS-Policy structure
  2. WS-Security policy introduction:
    1. UsernameToken for identity information
    2. AsymmetricBinding for asymmetric encryption
    3. Specifying components to be encrypted and/or signed
    4. Understanding asymmetric encryption key exchanges
  3. Attaching policies in WSDL:
    1. Embedding policies in WSDL
    2. Policy references and scopes
    3. Sharing policies across an enterprise

Assignments:

  1. Adding UsernameToken to service
  2. Adding signing and encryption to service
  3. Applying different policies to different operations

Part VI - WS-Trust and identity management (optional)

  1. Issues of authentication and authorization
  2. Using SAML identity management:
    1. SAML token structure
    2. Principles of WS-Trust
    3. WS-Trust client configuration
    4. Using SAML tokens with WS-Security
  3. Using Kerberos identity management

Assignments:

  1. Obtaining a SAML token directly
  2. Securing a web service with SAML tokens

Part VII - Dealing with performance (optional)

  1. Performance costs of security:
    1. Overhead added by TLS
    2. Overhead added by WS-Security asymmetric encryption
  2. Options for reducing overhead:
    1. Symmetric encryption
    2. WS-SecureConversation

Assignments:

  1. Use symmetric encryption for service
  2. Implement WS-SecureConversation for service

Part VIII - Security best practices

  1. Understanding the threats:
    1. Review of threat types
    2. Application to web services
    3. Security approaches to counter threats
  2. Planning a security architecture
  3. Designing security for your services:
    1. Granular application of WS-Security
    2. Separate endpoints for different security scenarios
  4. Security with ESB architectures

Assignments:

  1. Analyze and discuss a supplied scenario