Securing Web Services with Java EE 5



Audience
This course is designed for Java programmers who need to build secure applications. It has also proved helpful for system administrators and security officers who need a clear understanding of how security works within Java.
   

Duration

 4 Days
   
Course Abstract

This advanced seminar will introduce Java developers to key technology for developing and deploying secure Web services. This course uses interactive discussions and hands-on exercise to illustrate XML signature and encryption standards, the WS-Security specification and token profiles, and the Security Assertions Markup Language (SAML). Using various case studies, each student will practice signing and encrypting XML message content, and configuring J2EE tools to support signature and encryption of SOAP messages under the Java API for XML-Based RPC (JAX-RPC).

The course emphasizes practical hands-on exercise, and approximately 50% of their classroom time solving specific security problems. The initial exercise will focus on XML signature and encryption work using local files, However, the bulk of the work is with running JAX-RPC web services: adding WS-Security headers, signing and encrypting message content, and passing SAML assertions among various parties to a messaging scenario.
Price Call for pricing
Objectives

Upon conclusion participants will have acquired these skills:

  • Learn the role of security with Web services
  • Illustrate HTTP protocols
  • Demonstrate basic HTTP security concepts and authentication schemes
  • Understand JAX-RPC support with HTTP security
  • Comparison of HTTP and HTTPS
  • Depict the role of encryption and hashing
  • Define the usage of XML signatures
  • Illustrate the JCA architecture
  • Demonstrate the architecture of X.509 Certificates
  • Depict the usage of Keystores and the KeyStore API
  • Understand basics of XML encryption
  • Define WS-Security specification and integration into JAX-RPC services
  • Demonstrate ability to prevent hacker attacks
  • Illustrate the role of SAML
  • Depict the SAML assertion schema and use of SAML tokens
Class Format Lecture and Lab
   
Prerequisites

You should be familiar with the basics of the Java language and experience in developing Java Web services is assumed via either JAX-RPC or SAAJ. Additionally, experience with XML is encouraged
Course Topics

The following list represents the sections and topics discussed in this onsite instructor-led course offering.
 

Web Services Security

  • Overview
  • Threats and Attacks
  • Solution levels
  • Basic Security Patterns

HTTP Solutions

  • XML solutions
  • Basic encryption
  • Hashing concepts
  • Use of signatures
  • WS-Security
  • Role of SAML

Use of HTTPS

  • Authentication Schemes
    • Basic
    • Digest
    • Form
    • Certificate
  • Role of HTTPS
  • JAX-RPC Support
  • URL security

Using XML Signatures

  • Defining XML digital signatures
  • Java Cryptography Architecture
  • Use of Keystores
  • Using keytool
  • X.509 Certificates
    • Architecture
    • Types
    • Retrieval
    • Distribution
  • X.509 Certificate format
  • Revocation Lists
  • XML Digital Signature API

XML Encryption

  • Basics
  • Using encrypted keys
  • Using JCA Extensions
  • Encrypting and Decrypting XML

WS-Security

  • WS-Security specification
  • W3C relationship
  • Use of Security tokens
  • Role of Timestamps
  • WS-Security tools
  • JAX-RPC integration

Securing Web Services

  • Practical usages
  • Foiling attacks
  • Using Security policies

Security Assertion Markup Language (SAML)

  • Assertion schema
  • Use of Extensibility
  • Assertions and Subjects
  • Components
    • AuthenticationStatement
    • AttributeStatements
    • AuthorizationDecisionStatements
  • Actions
  • SAML Tokens
  • SAML Protocol
    • Request Types
    • Response Types
  • SAML Messaging
  • Standards

Java Authentication and Authorization services

  • Authentication and Authorization
  • JAAS Overview
  • LoginContext
  • Subjects, Principals, and PrivilegedActions
  • Authentication with the NTLoginModule
  • Defining Permissions in Policy Files
  • KeyStoreLoginModule
  • Callbacks
  • NameCallback and PasswordCallback
  • The Policy Class

Using Java EE Security

  • Authentication
  • Authorization
  • Security Layers
    • Features
    • Topology
    • Protocols
    • SSL
  • Application Server Management
  • LTPA
  • SSO
  • Identity Assertion
  • Declarative Security
    • Security Roles
    • Run-As Delegation
    • Securing resources
    • Creating Constraints
  • Authentication types
    • Form
    • Digital
    • Basic
    • Certificate
  • Trust Association
  • Custom Trust Assocation Interceptors