Featured White Papers

• Why choose an Open Source BPM?
• 10 FAQs on Business Process Management
• Best Practices for Getting Started with BPM
• Free Your Devs From The Pain Of Java Redeploys
• Increase Velocity 40% by Using JRebel
• What Developers Want: The End of Application Redeploys
• Developer Productivity Report: Java Tools, Tech, Devs, and Data
• Coding with JRebel: Java Forever Changed
• Utilizing Fast Testing to Transform Java Development
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• APIs for Java Programmers: Manage & Convert DOC, XLS, PPT, PDF & More

• Instantly Preview Java Code Changes: JRebel.com

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Secure your SOA

Enterprise-grade SOAs require a plan for addressing diverse security needs

By Ash Parikh, Anthony Sangha and Murty Gurajada, JavaWorld.com, 04/10/06

Page 2 of 6

This article details the standards and approaches necessary for incorporating the above mentioned security requirements into an SOA.

XML security standards and SOA

XML is a standards-based choice for representing the above requirements, thus XML security standards can be employed to enable them. XML security standards leverage existing XML standards and also enhance these standards as follows:

• The XML security standards define XML vocabularies for representing security information, using XML technologies such as XML Schema for definition—for example, the <KeyInfo> element defined in the XML-Signature Syntax and Processing recommendation for carrying, signing, or encrypting key information.
• The XML security standards use other existing XML standards where possible to leverage current XML efforts. For example, XML-Signature Syntax and Processing allows XPath expressions to extract portions of XML for processing. It is important to note that this type of selective signature processing was not really possible prior to the established XML security standards; either the entire document was signed or not at all. The XML security standards are designed to offer XML's flexibility and extensibility. They allow security to be applied to XML documents, to XML elements, and element content, as well as to arbitrary binary documents. They support the extension of XML vocabularies through the use of XML namespaces and extensible XML Schema definitions.
• XML security technologies may be applied to end-to-end security, which is especially important when XML messages are routed through numerous processing intermediaries. Persistent security is associated with the content, rather than with a transport pipe. The security remains with the content. XML security technologies may be also used in conjunction with transport security technologies, such as Secure Sockets Layer and Transport Layer Security (SSL/TLS). Another point to note here is that identities designed for SSO capabilities travel with the message as well.
• XML security technologies reuse existing cryptographic and security technologies whenever possible, without reinventing the wheel. For example, X.509 V3 certificates are used without redefinition when needed—they are simply encoded in a text format. Existing algorithms, such as the SHA1 digest algorithm, are also brought into the XML security standards world by associating unique URI identifiers with them and defining how they may be used in the XML security processing models. It is important to note that URI identifiers are used pervasively in XML security for encryption and signature algorithms as well, not just hashing.

The core XML security standards are:

• XML Encryption
• XML-Signature Syntax and Processing
• Digital certificates
• XML Key Management (XKMS)

XML Encryption, a World Wide Web Consortium (W3C) specification, provides end-to-end security for applications that require secure exchange of structured data. As we know, XML itself is the most popular technology for structuring data; therefore, XML-based encryption is the natural way to handle complex requirements for security in data interchange applications.