GS-35F-0556S

Toll Free 877-932-8228

Skip navigation

Home

Course Catalog

Technology Training

Business Training

Schedule
Pricing & Savings

Training Options

Resources
Certifications

Contests

Webucator Newsletter

About Us

I loved the instructor. She was an expert and a fantastic teacher. She knows exactly how to convey the information... More Testimonials »

Home > Java > Java Web Services > Securing Java Web Services Training

Securing Java Web Services Training

Delivery Options

Customized Onsite Training (4 days): Request a Proposal

Class Description

Class Overview

This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications.

These approaches do overlap, and through our primary case studies we present a single, coherent story of assuring confidentiality, integrity and non-repudiation, user authenticity, and proper request authorization with a blend of policy-driven WS-Security, SAML, and even some application-coded digital signature. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity.

Although for practical purposes this course relies on a specific platform, which is Java EE, the great majority of the course content teaches interoperable specifications, and would be equally useful to developers working on other web-service-capable platforms such as .NET -- or to those who work with multiple platforms, and do need to understand the interoperable pieces in detail but perhaps don't need to delve into implementation strategies. In fact, customizations are available that essentially leave out the Java to stick more strictly to the XML.

Class Goals

Understand the unique challenges in securing interoperable XML-based services.
Apply W3C standards to digitally sign and encrypt XML fragments and documents.
Understand the importance of the WS-Security specifications to interoperably secure messaging.
Use state-of-the-art tools to configure or implement signature, encryption, and various WS-Security header content for Java web services.
Drive such WSS implementations from WS-SecurityPolicy documents.
"Vouch for" a user across domains to achieve request authorization without sharing credentials.
Exchange security information between servers, applications, and components, using SAML assertion and protocol models.
Understand the role of XACML in policy management and decision-making.
Understand the WS-Trust and WS-Federation architectures for developing the trust relationships that enable service federations and service-oriented architectures.
Build web applications that participate in SAML federation and single sign-on.

Class Outline

Securing the Service-Oriented Enterprise
1. Security for Web Services
2. Threats
3. CIA Goals
4. Solution Levels: W3C, OASIS, Java EE
5. Scenario: Secure Multi-Party Conversation
6. Cryptography
7. WS-Security and WS-SecurityPolicy
8. Scenario: Sharing Security Information
9. SAML and XACML
10. Scenario: Multiple User Realms
11. Scenario: Single Sign-On
12. Technology Stacks: WS-Federation and Liberty Alliance
13. The WS-I Basic Security Profile
Transport Security
1. Use Case: Secure Transport
2. HTTP Authentication Schemes
3. HTTP BASIC
4. HTTP DIGEST
5. Securing Web-Service URLs
6. HTTPS
7. JAX-WS Support
8. Axis Support
XML Signature
1. Use Case: Non-Repudiation
2. XML Digital Signature
3. Cryptography Backgrounder
4. Canonical XML
5. Enveloped, Enveloping, and Detached Signatures
6. SignedInfo and References
7. The Java Cryptography Architecture
8. Keystores
9. Why Keys Aren't Enough
10. X.509 Certificates and Certificate Chains
11. The KeyStore API
12. Java XML Digital Signature API
13. Steps to Sign and Verify XML Content
14. JAX-WS Message Handlers
15. Foiling the Man in the Middle
XML Encryption
1. Use Case: Confidentiality
2. XML Encryption
3. EncryptedData
4. Element vs. Content Encryption
5. Key Wrapping
6. The Java Cryptography Extensions
7. Apache XML Security
8. Steps to Encrypt and Decrypt XML Content
9. Choosing Algorithms and Key Sizes
WS-Security
1. Use Case: Secure Message Exchange
2. Use Case: User Login
3. The WS-Security Specifications
4. Security Token Types
5. Timestamps
6. Username Tokens
7. Signature and Encryption
8. Tools for WS-Security
9. XWSS and JAAS
10. Foiling Replay Attacks
WS-SecurityPolicy
1. Use Case: Sharing Metadata
2. WS-Policy
3. Normalized vs. Compact Form
4. Policy Attachment
5. Policy Scopes
6. WS-SecurityPolicy
7. Protection Assertions
8. Token Assertions
9. Supporting and Endorsing Tokens
10. Bindings
11. Metro and WSIT
12. Implementing Callbacks
13. Integrating Security Frameworks
Introduction to SAML
1. History of SAML
2. Assertions
3. Protocol
4. Bindings
5. Profiles
6. Using OpenSAML
7. SAML and Web Services
SAML Assertions
1. Use Case: "Vouching for" a User
2. The Assertions Schema
3. Extensibility
4. Assertions and Subjects
5. NameID Types
6. Conditions
7. Subject Confirmation
8. Confirmation Methods
9. AuthntStatement
10. Authentication Contexts
11. AttributeStatement
12. Attribute Profiles
13. AuthzDecisionStatements
14. Actions and Evidence
15. WS-Security and SAML Tokens
16. OpenSAML Assertions Model
17. Creating XML Objects
18. Marshalling and Unmarshalling
SAML Protocol
1. Use Case: Back-Channel Queries
2. Requests, Queries, and Responses
3. Status and StatusCode
4. AuthnQuery
5. AttributeQuery
6. AuthzDecisionQuery
7. Other Request and Response Types
8. OpenSAML Protocol Model
9. SAML and XML Signature
10. SAML and XML Encryption
XACML
1. Use Case: Back-Channel Authorization
2. Use Case: Sharing Authorization Policies
3. Policies, Policy Sets, and Targets
4. Rules
5. Combining Algorithms
6. Policy Context
7. Request and Response Types
8. The SAML Profile of XACML
9. Authorization Decisions via XACML
Securing Federated Services
1. Publish, Find, Bind ... Execute!
2. UDDI
3. WS-BPEL
4. The Trust Problem
5. WS-Trust
6. The Security Token Service
7. Messaging Model: RST and RSTR
8. Derived Keys
9. WS-SecureConversation
10. Secure Conversation Metrics
11. WS-Federation
12. Value Proposition
SAML Bindings
1. Use Case: Speaking "Through" the Browser
2. The SOAP Binding
3. SAML Over HTTP
4. The Browser as Messenger
5. The Redirect, POST, and Artifact Bindings
6. The PAOS Binding
7. The URI Binding
Federated Identity
1. What is Federation?
2. Problems for Identity Federation
3. SAML 2.0 Federations
4. Single Sign-On
5. Account Linking and Persistent Pseudonyms
6. Transient Pseudonyms
7. Name ID Mapping
8. Federation Termination
9. OpenSSO
10. Fedlets

Go To Top

Class Materials

Each student in our Live Online and our Onsite classes receives a comprehensive set of materials, including course notes and all the class examples.

Class Prerequisites

Experience in the following areas is required:

Solid Java programming experience is essential;
Experience developing Java Web services is likewise a hard requirement: labs will assume understanding of both SAAJ and JAX-WS.
Students are expected to be able to read and write XML fluently, and have some familiarity with XML Schema. Consider courses

Technical Requirements

Our computer technical requirements and setup process is easy, with support just a click away.

Onsite course technical requirements and setup instructions.

Go To Top

Java ^®, all Java-based marks, Hibernate ^®, and all Hibernate-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

Quick Links

Locations

Where We've Trained
Some of the Cities in which Webucator has Trained:
1. Phoenix, AZ
2. Pittsburgh, PA
3. Portland, OR
4. Providence, RI
5. Raleigh, NC
6. Sacramento, CA
7. St. Louis, MO
8. San Diego, CA
9. San Francisco, CA
10. San Jose, CA
11. Santa Clara, CA
12. Seattle, WA
13. Sunnyvale, CA
14. Tallahassee, FL
15. Tempe, AZ
16. Toronto, ON
17. Tucson, AZ
18. Tulsa, OK
19. Virginia Beach, VA
20. Washington, DC
1. Fort Worth, TX
2. Hampton, VA
3. Hollywood, FL
4. Houston, TX
5. Huntsville, AL
6. Indianapolis, IN
7. Jacksonville, FL
8. Las Vegas, NV
9. Lexington, KY
10. Los Angeles, CA
11. Louisville, KY
12. Madison, WI
13. Memphis, TN
14. Milwaukee, WI
15. Nashville, TN
16. New York, NY
17. Oklahoma City, OK
18. Omaha, NE
19. Ottawa, ON
20. Philadelphia, PA
1. Amarillo, TX
2. Atlanta, GA
3. Aurora, IL
4. Austin, TX
5. Baltimore, MD
6. Beaumont, TX
7. Boston, MA
8. Buffalo, NY
9. Calgary, AB
10. Cary, NC
11. Chandler, AZ
12. Chicago, IL
13. Cincinnati, OH
14. Cleveland, OH
15. Colorado Springs, CO
16. Columbus, OH
17. Dallas, TX
18. Dayton, OH
19. Denver, CO
20. Detroit, MI
We have trainers all over North America.
1. Indianapolis, IN
2. Boston, MA
3. Silver Spring, MD
4. Portland, ME
5. Detroit, MI
6. Minneapolis, MN
7. Kansas City, MO
8. St. Louis, MO
9. Jackson, MS
10. Charlotte, NC
11. Nashua, NH
12. Atlantic City, NJ
13. Newark, NJ
14. Jersey City, NJ,
15. Reno, NV
16. Philadelphia, PA
17. Calgary, Canada
18. Toronto, Canada
1. Phoenix, AZ
2. Los Angeles, CA
3. Oakland, CA
4. San Diego, CA
5. San Francisco, CA
6. San Jose, CA
7. Santa Clara, CA
8. Sacramento, CA
9. Boulder, CO
10. Denver, CO
11. Hartford, CT
12. Fort Lauderdale, FL
13. Fort Myers, FL
14. Orlando, FL
15. Tallahassee, FL
16. Atlanta, GA
17. Boise, ID
18. Chicago, IL