WSO2

Courses

Security for Web Services

Request Info

Course Summary:

This course concentrates on Web services security using security components of the Apache Web Services project. Apache WSS4J, Apache Rampart and Rahas are the major components in securing communication in the Apache Axis2 message processing framework. This course introduces the challenges in Web Services security, and the specifications targeted towards solving different problems. It also gives an in-depth understanding of the Apache implementations. Finally, the participants will learn the best practices in securing Web services using these components.

Course Objectives:

  • Understand the security threats in Web services
  • Understand the available Web services security specifications and their roles
  • Components of the Apache Web services security infrastructure
  • Understand the best practices in securing Web services middleware

Duration:

  • Two days

Audience:

  • This course is most suitable for developers with some understanding of Web services technologies, Service Oriented Architecture, and a basic understanding of computer security concepts. (An understanding of WS-Sec* specifications is not required.)

Prerequisites:

  • Introductory level understanding of computer security concepts.
  • General understanding of Web services

Program:

  • Introduction, course outline, objectives
  • Recap on SOA and SOAP
    • SOA aims
    • Examples of SOAP messages
  • Threats in Web Services
  • Available specifications and their roles.
    • XML-Encryption
    • XML-Signature and the token profiles
    • WS-Security
    • WS-SecureConversation
    • WS-Trust
    • WS-Security Policy
    • SAML
  • An introduction to Apache Web services security components
    • Apache XML-Security
    • Apache WSS4J
    • Apache Rampart + Rahas + Secpolicy
  • Utilities
    • Setting up key stores using the Java keytool
  • Apache XML-Security - XML-Signature and XML-Encryption
    • C14N
    • Signing an XML file
    • Encrypting an XML element and element content
  • Apache WSS4J architecture and implementation
  • Axis2 and Web services security
    • DOOM
    • Neethi introduction
    • secpolicy
    • Apache Rampart architecture
  • Apache Rampart in action
    • Authentication
    • Integrity and Non-repudiation
    • Confidentiality
  • Apache Rahas - Axis2 WS-Trust implementation
    • Architecture
    • Extending Rahas
    • Using default issuers
  • Apache Rampart + Apache Rahas
    • Secure sessions (WS-SecureConversation)
    • Securing multiple message exchanges with Rampart and Rahas
  • Future
    • Features and products coming up
Request Info