Securing Java Web Services Training


Request an offer for delivery of this course

Course duration

Course Outline

This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications.

These approaches do overlap, and through our primary case studies we present a single, coherent story of assuring confidentiality, integrity and non-repudiation, user authenticity, and proper request authorization with a blend of policy-driven WS-Security, SAML, and even some application-coded digital signature. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity.

Although for practical purposes this course relies on a specific platform, which is Java EE, the great majority of the course content teaches interoperable specifications, and would be equally useful to developers working on other web-service-capable platforms such as .NET -- or to those who work with multiple platforms, and do need to understand the interoperable pieces in detail but perhaps don't need to delve into implementation strategies. In fact, customizations are available that essentially leave out the Java to stick more strictly to the XML.

  1. Securing the Service-Oriented Enterprise
    1. Security for Web Services
    2. Threats
    3. CIA Goals
    4. Solution Levels: W3C, OASIS, Java EE
    5. Scenario: Secure Multi-Party Conversation
    6. Cryptography
    7. WS-Security and WS-SecurityPolicy
    8. Scenario: Sharing Security Information
    9. SAML and XACML
    10. Scenario: Multiple User Realms
    11. Scenario: Single Sign-On
    12. Technology Stacks: WS-Federation and Liberty Alliance
    13. The WS-I Basic Security Profile
  2. Transport Security
    1. Use Case: Secure Transport
    2. HTTP Authentication Schemes
    5. Securing Web-Service URLs
    6. HTTPS
    7. JAX-WS Support
    8. Axis Support
  3. XML Signature
    1. Use Case: Non-Repudiation
    2. XML Digital Signature
    3. Cryptography Backgrounder
    4. Canonical XML
    5. Enveloped, Enveloping, and Detached Signatures
    6. SignedInfo and References
    7. The Java Cryptography Architecture
    8. Keystores
    9. Why Keys Aren't Enough
    10. X.509 Certificates and Certificate Chains
    11. The KeyStore API
    12. Java XML Digital Signature API
    13. Steps to Sign and Verify XML Content
    14. JAX-WS Message Handlers
    15. Foiling the Man in the Middle
  4. XML Encryption
    1. Use Case: Confidentiality
    2. XML Encryption
    3. EncryptedData
    4. Element vs. Content Encryption
    5. Key Wrapping
    6. The Java Cryptography Extensions
    7. Apache XML Security
    8. Steps to Encrypt and Decrypt XML Content
    9. Choosing Algorithms and Key Sizes
  5. WS-Security
    1. Use Case: Secure Message Exchange
    2. Use Case: User Login
    3. The WS-Security Specifications
    4. Security Token Types
    5. Timestamps
    6. Username Tokens
    7. Signature and Encryption
    8. Tools for WS-Security
    9. XWSS and JAAS
    10. Foiling Replay Attacks
  6. WS-SecurityPolicy
    1. Use Case: Sharing Metadata
    2. WS-Policy
    3. Normalized vs. Compact Form
    4. Policy Attachment
    5. Policy Scopes
    6. WS-SecurityPolicy
    7. Protection Assertions
    8. Token Assertions
    9. Supporting and Endorsing Tokens
    10. Bindings
    11. Metro and WSIT
    12. Implementing Callbacks
    13. Integrating Security Frameworks
  7. Introduction to SAML
    1. History of SAML
    2. Assertions
    3. Protocol
    4. Bindings
    5. Profiles
    6. Using OpenSAML
    7. SAML and Web Services
  8. SAML Assertions
    1. Use Case: "Vouching for" a User
    2. The Assertions Schema
    3. Extensibility
    4. Assertions and Subjects
    5. NameID Types
    6. Conditions
    7. Subject Confirmation
    8. Confirmation Methods
    9. AuthntStatement
    10. Authentication Contexts
    11. AttributeStatement
    12. Attribute Profiles
    13. AuthzDecisionStatements
    14. Actions and Evidence
    15. WS-Security and SAML Tokens
    16. OpenSAML Assertions Model
    17. Creating XML Objects
    18. Marshalling and Unmarshalling
  9. SAML Protocol
    1. Use Case: Back-Channel Queries
    2. Requests, Queries, and Responses
    3. Status and StatusCode
    4. AuthnQuery
    5. AttributeQuery
    6. AuthzDecisionQuery
    7. Other Request and Response Types
    8. OpenSAML Protocol Model
    9. SAML and XML Signature
    10. SAML and XML Encryption
  10. XACML
    1. Use Case: Back-Channel Authorization
    2. Use Case: Sharing Authorization Policies
    3. Policies, Policy Sets, and Targets
    4. Rules
    5. Combining Algorithms
    6. Policy Context
    7. Request and Response Types
    8. The SAML Profile of XACML
    9. Authorization Decisions via XACML
  11. Securing Federated Services
    1. Publish, Find, Bind ... Execute!
    2. UDDI
    3. WS-BPEL
    4. The Trust Problem
    5. WS-Trust
    6. The Security Token Service
    7. Messaging Model: RST and RSTR
    8. Derived Keys
    9. WS-SecureConversation
    10. Secure Conversation Metrics
    11. WS-Federation
    12. Value Proposition
  12. SAML Bindings
    1. Use Case: Speaking "Through" the Browser
    2. The SOAP Binding
    3. SAML Over HTTP
    4. The Browser as Messenger
    5. The Redirect, POST, and Artifact Bindings
    6. The PAOS Binding
    7. The URI Binding
  13. Federated Identity
    1. What is Federation?
    2. Problems for Identity Federation
    3. SAML 2.0 Federations
    4. Single Sign-On
    5. Account Linking and Persistent Pseudonyms
    6. Transient Pseudonyms
    7. Name ID Mapping
    8. Federation Termination
    9. OpenSSO
    10. Fedlets

InterSource Geneva, a premier Information Technology training firm, offers over 400 different courses on server, database and programming technologies, as well as end-user classes for the most popular office, graphics and design applications. We serve clients in Switzerland (Geneva, Lausanne, Bern, Basel, Zurich) and throughout Europe (France, Germany, Austria, Finland, Sweden, England, Netherlands, Spain, etc.).

InterSource offers custom, private courses at client sites, standard public courses in our Geneva classroom, and online training via live Web conference. Training is offered in English and many other languages (Francais, Deutsch, Espanol, Italiano.)

For an overall view of our offerings, please visit us at