Understanding Web-Services Security & XML Encryption

Web-services are client and server programs that communicate over the Hypertext Transfer Protocol (HTTP). They use SOAP messaging, which is much more efficient and less bandwidth-costly. Web-services have become a vital technology for organizations because of the variety of features offered.

The security of web-services is important to understand, because it affects the data flow over different networks.

Schemes to Provide Message-Level Security

XML Digital Signature

The XML digital signature is designed to be used in XML transaction and provides authentication, data integrity, and non-repudiation. XML digital signature offers flexibility by allowing for one or more items to be signed, as well as both XML and non-XML data.  Additionally, it is used to sign only specific portions of the XML tree, rather than the complete document.

The XML signature itself will generally indicate the location of the original signed object. This reference can:

  • Be referenced by a URI within the XML signature
  • Reside within the same resource as the XML signature (the signature is a sibling)
  • Be embedded within the XML signature (the signature is the parent)
  • Have its XML signature embedded within itself (the signature is the child)

XML Encryption

XML Encryption gives developers a secure, uniform way to protect their XML documents. Using this scheme, only the data that should be encrypted will be, rather than the whole document.

An example of XML Encryption is given below:

<Order>
<name>Prabhat Singh</name>
<address>ABC</address>
<prodNumber>9012345678</prodNumber>
<quantity>4</quantity>
<EncryptedData xmlns='http://www.w3.org/2000/11/temp-xmlenc'>
<EncryptionMethod Algorithm="urn:nist-gov:tripledes-ede-cbc">
<s0:IV xmlns:s0='http://somens'>ABCD</s0:IV>
</EncryptionMethod>
<KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
</KeyInfo>
<CipherData>A23B45C56</CipherData>
</EncryptedData>
</Order>

XML Key Management Specification (XKMS)

XKMS consists of two parts: XKISS (XML Key Information Service Specification) and XKRSS (XML Key Registration Service Specification). XKISS defines a protocol for resolving or validating public keys contained in a signed and encrypted XML documents, while XKRSS defines a protocol for public key registration, revocation, and recovery.

The key aspect of XKMS is that it serves as a protocol specification between an XKMS client and in XKMS server. In doing this, the XKMS server provides trust services to its clients (in the form of web services) by performing various public key infrastructure (PKI) operations, such as public key validation, registration, recovery, and revocation on behalf of the clients.

Extensible Access Control Markup Language (XACML)

The primary goal of XACML is to standardize the access control language in XML syntax. There is no need to develop an application-specific access control language or to write the access control policy in multiple languages; instead, system administrators should need to understand only one standardized language.

Secure Assertion Markup Langauge (SAML)

SAML is an XML-based framework used to exchange security-related information between the client and the servers. The security information is expressed in terms of assertions, which defines how SAML assertion can transport using SOAP over HTTP.

WS-Security

Web-service security specification defines end-to-end SOAP messaging security through SOAP header extensions. It supports a one-time authentication feature, XML encryption, multiple security tokens, and exchanges signs from the communication partner.

Example

  1. WEB-INF/sun-jaxws.xml: Endpoints for requests
    <?xml version="1.0" encoding="UTF-8"?>
    <endpoints
      xmlns="http://java.sun.com/xml/ns/jax-ws/ri/runtime"
      version="2.0">
      <endpoint
        name="CalWS"
        implementation="com.tpg.prabhat.CalWSImpl"
        url-pattern="/CallWS"/>
    </endpoints>
  2. Service interface: To request handler interface where path has been given (handler.xml) for header validation class
    @WebService
    @HandlerChain(file="handler.xml")
    public interface CalWS {
    	@WebResult(name = "HeaderResponse")
    	public String headerValidation();
    
    }
  3. Handler.xml: Contains header validation class path
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"
    	xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    	<javaee:handler-chain>
    		<javaee:handler>
    			<javaee:handler-class>com.tpg.prabhat.header.SoapHeaderValidator</javaee:handler-class>
    		</javaee:handler>
    	</javaee:handler-chain>
    </javaee:handler-chains>
  4. Service Implementation class: SOAP service implementation class
    @WebService(endpointInterface = "com.tpg.prabhat.CalWS",
    portName="calWSPort", serviceName = "calWSService")
    @HandlerChain(file="handler.xml")
    
    public class CalWSImpl implements CalWS {
    @WebMethod(operationName = "HeaderRequest", action = "headerValidation")
    	@WebResult(name = "HeaderResponse")
    	public String headerValidation(){
    		// other code process
    		return "chain";
    	}
    }
  5. SoapHeaderValidator.java: Validation class to validate username and password
    public class SoapHeaderValidator implements SOAPHandler<SOAPMessageContext>{
    
    	@Override
    	public boolean handleMessage(SOAPMessageContext context) {
    
    		System.out.println("Server : handleMessage()......");
    
    		Boolean isRequest = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
    
    		if(!isRequest){
    
    			try{
    				SOAPMessage soapMsg = context.getMessage();
    				SOAPEnvelope soapEnv = soapMsg.getSOAPPart().getEnvelope();
    				SOAPHeader soapHeader = soapEnv.getHeader();
    
    				//if no header, add one
    				if (soapHeader == null){
    					soapHeader = soapEnv.addHeader();
    					//throw exception
    					generateSOAPErrMessage(soapMsg, "No SOAP header.");
    				}
    
    				Iterator it = soapHeader.extractAllHeaderElements();
    
    				if (it == null || !it.hasNext()){
    					generateSOAPErrMessage(soapMsg, "No header block for next actor.");
    				}
    
    				Node node = (Node) it.next();
    				String name = node.getNodeName();
    				String value = (node == null) ? null : node.getValue();
    
    				if (value == null){
    					generateSOAPErrMessage(soapMsg, "No value in header block.");
    				}
    
    				if(!name.equals("UsernameToken") && !value.equals("Prabhat")){
    					generateSOAPErrMessage(soapMsg, "Invalid key and value, access is denied.");
    				}
    
    				//tracking
    				soapMsg.writeTo(System.out);
    
    			}catch(SOAPException e){
    				System.err.println(e);
    			}catch(IOException e){
    				System.err.println(e);
    			}
    
    		}
    
    		//continue other handler chain
    		return true;
    	}
    
    	@Override
    	public boolean handleFault(SOAPMessageContext context) {
    
    		System.out.println("Server : handleFault()......");
    
    		return true;
    	}
    
    	@Override
    	public void close(MessageContext context) {
    		System.out.println("Server : close()......");
    	}
    
    	@Override
    	public Set<QName> getHeaders() {
    		System.out.println("Server : getHeaders()......");
    		return null;
    	}
    
    	private void generateSOAPErrMessage(SOAPMessage msg, String reason) {
    		try {
    			SOAPBody soapBody = msg.getSOAPPart().getEnvelope().getBody();
    			SOAPFault soapFault = soapBody.addFault();
    			soapFault.setFaultString(reason);
    			throw new SOAPFaultException(soapFault); 
    		}
    		catch(SOAPException e) { }
    	}
    
    }
  6. SOAP Request: Simple SOAP request
    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    	<soap:Header>
    		<Username>pks</Username>
    		<Password Type="PasswordText">>password</Password>
    	</soap:Header>
    	<soap:Body>
    		<ns2:getHelloWorldAsString xmlns:ns2="http://prabhat.tpg.com/">
    			// other string as per requirement
    		</ns2:getHelloWorldAsString>
    	</soap:Body>
    </soap:Envelope>

Find the source code here.

 

Prabhat Kumar Singh

Prabhat Kumar Singh

Module Lead

Prabhat Kumar Singh is a Module Lead at 3Pillar Global. He has expertise on complete J2EE stack and open source technologies. He has worked on Multiple Domains mainly on Financial, E*Restaurant and Advertisement. Prior to joining 3Pillar, he has been associated with companies such as ANR Software, NVision Solutions, and Sapient Corporation.

Leave a Reply

Related Posts

High Availability and Automatic Failover in Hadoop Hadoop in Brief Hadoop is one of the most popular sets of big data processing technologies/frameworks in use today. From Adobe and eBay to Facebook a...
How the Right Tech Stack Fuels Innovation – The Innova... On this episode of The Innovation Engine podcast, we take a look at how choosing the right tech stack can fuel innovation in your company. We'll talk ...
The Road to AWS re:Invent 2018 – Weekly Predictions, P... For the last two weeks, I’ve been making predictions of what might be announced at AWS’ upcoming re:Invent conference. In week 1, I made some guesses ...
Building a Microservice Architecture with Spring Boot and Do... This is the fourth blog post in a 4-part series on building a microservice architecture with Spring Boot and Docker. If you would like to read the pre...
Building a Microservice Architecture with Spring Boot and Do... Part III: Building Your First Microservice, its Container, and Linking Containers We're about ready to actually get started with building a microserv...