SOAPSOAP““Simple” Object Access Simple” Object Access

ProtocolProtocol

Will CameronWill CameronCSC 8530CSC 8530

November 9, 2006November 9, 2006Student Presentation 2Student Presentation 2

What is SOAP?What is SOAP?► XML to define an extensible messaging framework XML to define an extensible messaging framework ► Providing a message construct that can be exchanged over a Providing a message construct that can be exchanged over a

variety of underlying protocols (HTTP, SMTP)variety of underlying protocols (HTTP, SMTP)► “”“”The framework has been designed to be independent of The framework has been designed to be independent of

any particular programming model and other any particular programming model and other implementation specific semantics.” implementation specific semantics.”

► Design Goals: Simplicity and extensibilityDesign Goals: Simplicity and extensibility► Goals attempted through omission of features “often found Goals attempted through omission of features “often found

in distributed systems”, including in distributed systems”, including ““Reliability”Reliability” ““Security”Security” ““Correlation”Correlation” ““Routing”Routing” ““Message Exchange Patterns” (MEPs)Message Exchange Patterns” (MEPs)

► Only two in SOAP 1.2 SpecOnly two in SOAP 1.2 Spec Many features can be defined, also through extensions by other Many features can be defined, also through extensions by other

specs, implementations, open ended specs, implementations, open ended

SOAP BackgroundSOAP Background

► ““Designed by Dave Winer, Don Box, Bob Designed by Dave Winer, Don Box, Bob Atkinson, and Mohsen Al-Ghosein in 1998” Atkinson, and Mohsen Al-Ghosein in 1998” with Microsoft supportwith Microsoft support

► ““as an object-access protocol” as an object-access protocol” ► ““The SOAP specification is currently The SOAP specification is currently

maintained by the maintained by the XML Protocol Working GroupXML Protocol Working Group of the of the World Wide Web ConsortiumWorld Wide Web Consortium.” .”

TransportTransport► RPC XML capability using XML and HTTPRPC XML capability using XML and HTTP► ““SOAP works well with network SOAP works well with network firewallsfirewalls” ” ► ““A major advantage over other distributed A major advantage over other distributed

protocols like protocols like GIOPGIOP//IIOPIIOP or or DCOMDCOM which which are normally filtered by firewalls” are normally filtered by firewalls”

► ““XML as the standard message format”XML as the standard message format”►Given “its widespread use by major Given “its widespread use by major

corporations and corporations and open sourceopen source development efforts“development efforts“

► The lengthy XML syntax can be both a The lengthy XML syntax can be both a benefit and a drawback. benefit and a drawback.

Transport WeaknessesTransport Weaknesses► Its format is possible for humans to read, but can be Its format is possible for humans to read, but can be

complex and can have slow processing timescomplex and can have slow processing times► Lengthy XML format, SOAP can be slower than competing Lengthy XML format, SOAP can be slower than competing

middlewaremiddleware technologies such as technologies such as CORBACORBA. . ► ““For example, For example, CORBACORBA, GIOP and DCOM use much shorter, , GIOP and DCOM use much shorter,

binary message formats”binary message formats”► However “hardware appliances are available to accelerate However “hardware appliances are available to accelerate

processing of XML messages”processing of XML messages”► ““Binary XMLBinary XML is also being explored as a means for is also being explored as a means for

streamlining the throughput requirements of XML...“streamlining the throughput requirements of XML...“► Dependence on Dependence on Web Services Description LanguageWeb Services Description Language, ,

(WSDL)(WSDL)► ““no standard way to dynamically discover the services no standard way to dynamically discover the services

(methods, parameters) offered, nor to get a (methods, parameters) offered, nor to get a WSDLWSDL for a for a particular endpoint.”particular endpoint.”

► (http://en.wikipedia.org/wiki/SOAP)(http://en.wikipedia.org/wiki/SOAP)

Data EncapsulationData Encapsulation► A SOAP message, the Basic Unit of CommunicationA SOAP message, the Basic Unit of Communication► A Required Envelope element that “identifies the XML A Required Envelope element that “identifies the XML

document as a SOAP” document as a SOAP” A [local name] of Envelope .A [local name] of Envelope . A [namespace name] of "http://www.w3.org/2003/05/soap-envelope". A [namespace name] of "http://www.w3.org/2003/05/soap-envelope". Zero or more namespace qualified Zero or more namespace qualified attribute information itemsattribute information items amongst its amongst its

[attributes] property.[attributes] property.► An optional header, must be directly after the envelopeAn optional header, must be directly after the envelope► A required body containing the “element information items”A required body containing the “element information items”

Targeted at a SOAP reciever in the message pathTargeted at a SOAP reciever in the message path► An optional fault elementAn optional fault element

A mandatory Code A mandatory Code element information itemelement information item A mandatory Reason A mandatory Reason element information itemelement information item

►Human readable reason for faultHuman readable reason for fault Optional Role Optional Role element information itemelement information item

►Role the node was operating in at the point the fault Role the node was operating in at the point the fault occurred occurred

Optional Detail Optional Detail element information itemelement information item ► intended for carrying application specific error intended for carrying application specific error

information related to the SOAP Body . information related to the SOAP Body . ► To SOAP, a URI is simply a formatted string that identifies a web To SOAP, a URI is simply a formatted string that identifies a web

resource via its name, location, or any other characteristics. resource via its name, location, or any other characteristics.

Sample Fault MessageSample Fault Message

SOAP and WSDLSOAP and WSDL

►Web Service Definition LanguageWeb Service Definition Language XML to define the public interface to a SOAP XML to define the public interface to a SOAP

web serviceweb service Whereas RMI can look up the name of a Whereas RMI can look up the name of a

service in the registry, SOAP can find the service in the registry, SOAP can find the public interface in a web accessible WSDL public interface in a web accessible WSDL filefile

In Axis2 WSDLs can be used to generate a In Axis2 WSDLs can be used to generate a skeletonskeleton

JWSDL Java API for manipulating WSDLJWSDL Java API for manipulating WSDL Apache proposing its own version WodenApache proposing its own version Woden

WSDLWSDL

► Requestor locates WSDL Requestor locates WSDL document on the serverdocument on the server

► Downloaded to the Downloaded to the requestorrequestor

► WSDL examined by the WSDL examined by the requestor, based upon requestor, based upon what is found a SOAP what is found a SOAP request or requests request or requests (invocation) is sent out to (invocation) is sent out to the Web service providerthe Web service provider

WSDL DocumentWSDL Document►Describes the services, where it can be Describes the services, where it can be

located, instructions on how to bind and located, instructions on how to bind and runrun

► Can be retrieved from a UDDI directory, Can be retrieved from a UDDI directory, HTTP requests, or even emailHTTP requests, or even email

►<type> <message> The web service itself<type> <message> The web service itself►<binding> How info will be passed<binding> How info will be passed►<portType> Describe the operations<portType> Describe the operations►<service> Describes the location<service> Describes the location► <service name="StockQuoteService"><service name="StockQuoteService"> <documentation>My first <documentation>My first

service</documentation> <port name="StockQuotePort" service</documentation> <port name="StockQuotePort" binding="tns:StockQuoteBinding"> <soap:address binding="tns:StockQuoteBinding"> <soap:address location="http://example.com/stockquote"/>location="http://example.com/stockquote"/> </port> </service> </port> </service>

WSDL Example SnippetWSDL Example Snippet <definitions name="StockQuote“><definitions name="StockQuote“> <types> <types> <schema targetNamespace="http://example.com/stockquote.xsd" <schema targetNamespace="http://example.com/stockquote.xsd"

xmlns="http://www.w3.org/2000/10/XMLSchema"> xmlns="http://www.w3.org/2000/10/XMLSchema"> <element name="TradePriceRequest"><element name="TradePriceRequest"> <complexType><complexType> <all> <all>

<element name="tickerSymbol" type="string"/><element name="tickerSymbol" type="string"/>

</all></all>

</complexType> </complexType> </element></element> <element name="TradePrice"><element name="TradePrice"> <complexType> <complexType>

<all> <all>

<element name="price" type="float"/><element name="price" type="float"/> </all> </all>

</complexType> </complexType> </element> </element> </schema> </schema> </types> </types>

<message name="GetLastTradePriceInput"> <message name="GetLastTradePriceInput"> <part name="body" element="xsd1:TradePriceRequest"/> <part name="body" element="xsd1:TradePriceRequest"/>

</message></message>

<message name="GetLastTradePriceOutput"> <message name="GetLastTradePriceOutput"> <part name="body" element="xsd1:TradePrice"/> <part name="body" element="xsd1:TradePrice"/> </message></message>

Sending and Receiving Sending and Receiving ElementsElements

►SOAP SenderSOAP Sender►SOAP ReceiverSOAP Receiver►SOAP message pathSOAP message path►SOAP intermediarySOAP intermediary

Both a receiver and sender target-able Both a receiver and sender target-able from a SOAP messagefrom a SOAP message

Processes header blocks and forwards Processes header blocks and forwards message to amessage to a

►Ultimate SOAP receiverUltimate SOAP receiver

SOAP Defined Message SOAP Defined Message Exchange PatternsExchange Patterns

► Request-Response Message Exchange PatternRequest-Response Message Exchange Pattern Details of which left to the implementer (synchronous, Details of which left to the implementer (synchronous,

asynchronous, etc)asynchronous, etc)

► SOAP Response Message Exchange PatternSOAP Response Message Exchange Pattern non-SOAP (no envelope) message acting as a request non-SOAP (no envelope) message acting as a request

followed by a SOAP message acting as a response. followed by a SOAP message acting as a response.

Axis2 Implemented Message Axis2 Implemented Message PatternsPatterns

► Flexibility to support multiple exchange patternsFlexibility to support multiple exchange patterns► Reflects the fact that web services moving from mostly synchronous-Reflects the fact that web services moving from mostly synchronous-

RPC style interactions to a message-oriented approach RPC style interactions to a message-oriented approach ► Encourages both synchronous and asynchronous interactions. Encourages both synchronous and asynchronous interactions.

Why is SOAP message-level Why is SOAP message-level security needed?security needed?

► No security is required in either HTTP, XML, or SOAPNo security is required in either HTTP, XML, or SOAP► One major motivation for SOAP is its ability to get One major motivation for SOAP is its ability to get

through firewalls through firewalls ► When there are already transport layer security When there are already transport layer security

mechanisms such as SSL/TLS and IPSec mechanisms such as SSL/TLS and IPSec ► End-to-end SecurityEnd-to-end Security

A SOAP message may go to intermediate nodesA SOAP message may go to intermediate nodes An intermediate node can receive and transmitAn intermediate node can receive and transmit Secure transport protocols such as SSL/TLS can assure the Secure transport protocols such as SSL/TLS can assure the

security of messages during transmission security of messages during transmission secure end-to-end communication is not possible if secure end-to-end communication is not possible if

intermediaries not trustedintermediaries not trusted Also compromised if any communication link is not secured Also compromised if any communication link is not secured

Securing SOAPSecuring SOAP►Need application layer securityNeed application layer security► Any point where messages are in plain text, Any point where messages are in plain text,

it can be a potential point of attack it can be a potential point of attack ►Difficult to integrate cryptographic Difficult to integrate cryptographic

functionality without introducing more functionality without introducing more security holessecurity holes

► Commercial cryptographic libraries are Commercial cryptographic libraries are usually extremely flexible to meet many usually extremely flexible to meet many different levels of security requirementsdifferent levels of security requirements

► Using them properly may require good Using them properly may require good understanding of cryptographic technologies understanding of cryptographic technologies

►Often desirable to have security functionality Often desirable to have security functionality as close to the application level as possible as close to the application level as possible but not built into the application itself. but not built into the application itself.

Transport IndependenceTransport Independence

► An intended use of SOAP intermediaries is An intended use of SOAP intermediaries is to forward messages to different networks, to forward messages to different networks, often using different transport protocolsoften using different transport protocols

► Even if links are secured and the Even if links are secured and the intermediaries can be trustedintermediaries can be trusted security information needs to be translated to security information needs to be translated to

the next secure transport protocol along the the next secure transport protocol along the message pathmessage path

Could be tedious and complex, which may lead Could be tedious and complex, which may lead to security breaches to security breaches

such as the authenticity of the originator of the such as the authenticity of the originator of the messagemessage

Securing SOAPSecuring SOAP

Security of Stored Messages Security of Stored Messages ► Transport layer security secures data when it Transport layer security secures data when it

is traveling on communication linksis traveling on communication links► It has no effect on stored data It has no effect on stored data ► Once a transmission is received and Once a transmission is received and

decrypted, transport layer security does not decrypted, transport layer security does not help much help much

► Where messages are stored and then Where messages are stored and then forwarded, message layer security is forwarded, message layer security is necessary necessary

► Applications messages are often stored for Applications messages are often stored for logging and auditing purposeslogging and auditing purposes

► Having cryptographic protection on such Having cryptographic protection on such persistent data may be necessary anyway persistent data may be necessary anyway SOAP security extensions proposed here can SOAP security extensions proposed here can be used for this purpose as well. be used for this purpose as well.

Digital SignaturesDigital Signatures

►W3C submission defines a security W3C submission defines a security Digital Signature header syntaxDigital Signature header syntax

► digital signatures alone do not provide digital signatures alone do not provide message authentication message authentication

►must be combined with means to must be combined with means to ensure the uniqueness of the ensure the uniqueness of the message, such as nonces or time message, such as nonces or time stamps stamps

Web Services Security ModelWeb Services Security Model► Defined by OASIS to secure SOAPDefined by OASIS to secure SOAP► Through message integrity, message confidentiality, and Through message integrity, message confidentiality, and

single message authentication single message authentication ► Mechanisms can be combined to allow a wide variety of Mechanisms can be combined to allow a wide variety of

security models using a variety of cryptographic technologies security models using a variety of cryptographic technologies ► Also provides a general-purpose mechanism for associating Also provides a general-purpose mechanism for associating

security tokens with messages security tokens with messages ► Describes how to encode Username Tokens, X.509 Tokens, Describes how to encode Username Tokens, X.509 Tokens,

SAML Tokens , REL Tokens and Kerberos Tokens SAML Tokens , REL Tokens and Kerberos Tokens ► Message integrity is provided by leveraging XML Signature Message integrity is provided by leveraging XML Signature

and security tokens to ensure that messages have originated and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit from the appropriate sender and were not modified in transit

► Message confidentiality leverages XML Encryption and Message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message security tokens to keep portions of a SOAP message confidential confidential

WS Security ModelWS Security Model

► Security TokensSecurity Tokens Authority can sign/encrypt token, X.509 Cert Authority can sign/encrypt token, X.509 Cert Signatures verify message origin and integritySignatures verify message origin and integrity Additional measures needed to protect against Additional measures needed to protect against

attacksattacks Security context must be understoodSecurity context must be understood Certificate evaluation must be incorporated for Certificate evaluation must be incorporated for

digital signaturesdigital signatures

ConclusionsConclusions

►SOAP is an effective and flexible SOAP is an effective and flexible distributed communications distributed communications specificationspecification

►There are many security concerns There are many security concerns which must be carefully considered which must be carefully considered within the application contextwithin the application context

► Issues ironically rise out of the firewall Issues ironically rise out of the firewall traversing use of HTTPtraversing use of HTTP

ReferencesReferences► What's New in SOAP 1.2What's New in SOAP 1.2► http://www.idealliance.org/papers/xmle02/dx_xmle02/papers/02-02-02/02-http://www.idealliance.org/papers/xmle02/dx_xmle02/papers/02-02-02/02-

02-02.html02-02.html► SOAP 1.1, 1.2SOAP 1.1, 1.2► http://www.idealliance.org/papers/xmle02/dx_xmle02/papers/02-02-02/02-http://www.idealliance.org/papers/xmle02/dx_xmle02/papers/02-02-02/02-

02-02.html02-02.html► http://www.w3.org/TR/2003/REC-soap12-part1-20030624/http://www.w3.org/TR/2003/REC-soap12-part1-20030624/► Java APIs for WSDL: Java APIs for WSDL:

http://jcp.org/aboutJava/communityprocess/mrel/jsr110/index2.htmlhttp://jcp.org/aboutJava/communityprocess/mrel/jsr110/index2.html► An inside look at WSDLAn inside look at WSDL► http://searchwebservices.techtarget.com/tip/http://searchwebservices.techtarget.com/tip/

1,289483,sid26_gci811272,00.html1,289483,sid26_gci811272,00.html► Web Services Description Language W3C NoteWeb Services Description Language W3C Note► http://www.w3.org/TR/wsdlhttp://www.w3.org/TR/wsdl► Introduction to Apache Axis 2Introduction to Apache Axis 2► http://www.redhat.com/magazine/021jul06/features/apache_axis2/http://www.redhat.com/magazine/021jul06/features/apache_axis2/► Axis2 Users’ GuideAxis2 Users’ Guide► http://ws.apache.org/axis2/1_0/userguide3.htmlhttp://ws.apache.org/axis2/1_0/userguide3.html► SOAP Security Extensions: Digital SignatureSOAP Security Extensions: Digital Signature► http://www.w3.org/TR/SOAP-dsig/http://www.w3.org/TR/SOAP-dsig/► Web Services SecurityWeb Services Security► http://www-128.ibm.com/developerworks/library/specification/ws-secure/http://www-128.ibm.com/developerworks/library/specification/ws-secure/