Oracle PDF material for Web Services Security - Click Here
XML-Signature and XML-Encryption
XML signatures are designed for use in XML transactions. It is a standard that was jointly developed by W3C and the IETF (RFC 2807, RFC 3275). The standard defines a schema for capturing the result of a digital signature operation applied to arbitrary data and its processing. XML signatures add authentication, data integrity, and support for non-repudiation to the signed data.XML Signature has the ability to sign only specific portions of the XML tree rather than the complete document. This is important when a single XML document may need to be signed by multiple times by a single or multiple parties. This flexibility can ensure the integrity of certain portions of an XML document, while leaving open the possibility for other portions of the document to change. Signature validation mandates that the data object that was signed be accessible to the party that interested in the transaction. The XML signature will generally indicate the location of the original signed object.
Web Services Security
Developed at OASIS, Web Services Security (WSS) defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication.
WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies.
The work provides a general mechanism for associating security tokens with messages. The specification does not require a specific type of security token. It is designed to support multiple security token formats. WSS describes how to encode binary security tokens. The specification describes how to encode X.509 certificates and Kerberos tickets. Additionally, it also describes how to include opaque encrypted keys. The WSS specification defines an end to end security framework that provides support for intermediary security processing.
Message integrity is provided by using XML Signature in conjunction with security tokens to ensure that messages are transmitted without modifications. The integrity mechanisms can support multiple signatures, possibly by multiple actors. The techniques are extensible such that they can support additional signature formats.
Message confidentiality is granted by using XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential. The encryption mechanisms can support operations by multiple actors.
XML Key Management Specification (XKMS) 2.0
XKMS 2.0 is an XML-based way of managing the Public Key Infrastructure (PKI), a system that uses public-key cryptography for encrypting, signing, authorizing and verifying the authenticity of information in the Internet. It specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature and XML Encryption.XKMS allow implementers to outsource the task of key registration and validation to a "trust" utility. This simplify implementation since the actual work of managing public and private key pairs and other PKI details is done by third party.
An XKMS trust utility works with any PKI system, passing the information back and forth between it and the Web service. Since the trust utility does the work, the Web service itself can be kept simple. XKMS is a W3C specification.
Security Assertion Markup Language (SAML)
SAML is an Extensible Markup Language standard (XML) that supports Single Sign On. SAML allows a user to log on once to a Web site and conduct business with affiliated but separate Web sites. SAML can be used in business-to-business and business-to-consumer transactions.There are threes basic SAML components: assertions, protocol, and binding.
Assertions can be one of three types: authentication, attribute, and authorization. Authentication assertion validates the identity of the user. The attribute assertion contains specific information about the user. While, the authorization assertion identifies what the user is authorized to do.
The protocol defines how SAML request and receives assertions.
There are several available binding for SAML. There are bindings that define how SAML message exchanges are mapped to SOAP, HTTP, SMTP and FTP among others. The Organization for the Advancement of Structured Information Standards (OASIS) is the body developing SAML.
