- Author :
- Sitaraman Lakshminarayanan
- Publisher :
- Packt Publishing
Importance of security aspects in delivering of SW solutions, which are based on Services-Oriented Architecture (SOA), is growing in presence more than ever in history. This is however understandable as sensitivity of data (from security point of view) has in many cases high level of privacy. Channel where these data are exchanging must have except others also functionality responsible for authentication, authorization, confidentiality and integrity. Anyhow if it is in such conclusion satisfactory, it still opens another question. Is it enough to address this aspect on programming level – by declaring them in form of hard-wired rules that became inseparable part of source code? To answer it let’s imagine following model situation. Fictional company is having software solution which contains 15 web services where 5 must be accessible only internally; next 3 are exposed for special group of business partners having B2B interface (members are changing from time to time) and rest of them can be used without any restrictions. Let’s move forward with model and imagine that sensitivity of data which is part of second web-services group requires later on (after the software solution is already deployed to the real operation usage) implementation of additional changes to currently defined security (for example include asymmetric cryptography). Another requirement would be that consumers of third group of web-services (with no restrictions) should authenticate themselves with username and password by obtaining them from company portal (created by different supplier). For purposes of this example is such fictional model sufficient enough. Now image, if security policy of such software solution would be declared with set of hard-wired rules, how long would it take for its supplier to expose second group of services for new business partner? How expensive would be implementation of such change request? How about move whole situation even a bit forward and say that above mentioned new business partner would request that authentication of these services must be realized through his internal database of user names and passwords? What would be then direction where implementation of change request would go to – extending implementation of common service functionality with partner specific security policy?! Unfortunately, declared situation is only theoretical model. Reality is usually more difficult and change requests are needed at least several times a year. With respect of sketched reality it is evident that management of security aspect needs to be moved elsewhere, to the new layer where it will be addressed with specialized component – Oracle Web Services Manager (WSM).
The book is well organized. It is divided into 13 chapters where author is gradually introducing this topic from beginner’s level to the more advance style of explaining the concept of security in world of SOA and all its rules which are still interesting for more experienced users. All chapters has also unified conception what is helping the reader to orientate in the book. I have found as very handy the notes which are appended with hints that couldn’t be normally placed to text because of its context. Moreover, whole book is interlaced with really huge amount of examples including real client-server application where server is build on top of Java while client is developed in .NET platform. This is bridging the two “separated” worlds and being platform independent. That is next advantage I’d liked noticed.
Chapter No.1 outlines Web services security issues from the perspective of the initial analysis. It addresses questions such as why we should give it that deep attention, why it is necessary to address this issue separately and not merge it with for example security of network infrastructure. It also discusses what questions must be responded in order to make decision whether or not to deploy this component in your SOA solutions.
Chapter No.2 goes deeper and discusses in general terms that entails the implementation of Web services security. It focuses also to the need for standardization and centralization of this functionality, links it to existing solutions for centralized management of identities and presents the reader with basic design patterns in their composing.
Chapter No. 3 passes the general plane, mapping in the previous chapters declared theoretical components into individual functional parts that belongs to the OWSM and outlines functionality that each of them is responsible for.
Chapters 4, 5 and 6 address how to implement in an environment of OWSM functions for providing the authentication, authorization, data confidentiality (encryption, decryption) and integrity (signing). Each function is clarified both theoretically and by example (see below).
Chapter No.7 offers an introduction to the implementation of the own so called "Policy step" in an environment of OWSM. It explains how to implement, compile and deploy. Functionality is clarified both theoretically and by example (see below).
Chapter No.8 discusses how it is possible to connect OWSM in the so-called high availability mode. It depicts the two possible cases of OWSM schemes in this mode, along with detailed instructions for implementing each of them.
Chapter No.9 is presenting monitor functionality of secured web services in environment of OWSM. Functionality is clarified both theoretically and by example (creating own statistical reports).
Chapters 10 and 11 explain in detail the internal structure of SOAP messages that are produced by secured web services.
Chapter No.12 in detail deals with the relationship between functions for signing and encryption of SOAP messages produced by web services but especially about how their order (first sign and then encrypt or encrypt first and then sign) affects the very nature of security in SOAP messages itself.
Chapter No.13 explains how OWSM could be connected with components for centralized identity management.
As mentioned above, the entire publication is interwoven with plenty of examples to illustrate the issue. The carrier one, through which the author explains how the implementation of authentication, authorization, data confidentiality and integrity works in practice, is made to also show interoperability across multiple development platforms. One can find real implementation of securing the service by user name / password, both arising from the standard file realm and also from “MS ActiveDirectory”, encrypt and decrypt messages as well as their signature. As positive, I want to consider also fact that all examples can be implemented completely free - for these purposes is not necessary to have purchased a commercial license to any of used products.
It’s a lack of informational complexity that the author of the book devoted exclusively to securing services through so-called "Gateway" and only very marginally mentioned that it can be secured also through the agents and those scenarios are excluded from all examples. This is something what I think is really missing since myself personally (and various forums I found that it weren’t just my case), I had had during implementing of this functionality (server/client agents) problems.
Even despite the above mentioned lack, overall I can this book only recommend but either for passing to experienced users witch experimenting with solution OWSM or to beginners who want to get to speak to the issue. It is thus a sort of introductory guide but very well written.