This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications.
Learn the unique challenges in securing interoperable XML-based services. Learn to apply W3C standards to digitally sign and encrypt XML fragments and documents and to understand the importance of the WS-Security specifications to interoperably secure messaging. Learn to use state-of-the-art tools to configure or implement signature, encryption, and various WS-Security header content for Java web services and to drive such WSS implementations from WS-SecurityPolicy documents. Learn to "vouch for" a user across domains to achieve request authorization without sharing credentials and to exchange security information between servers, applications, and components, using SAML assertion and protocol models. Learn about the role of XACML in policy management and decision-making and about the WS-Trust and WS-Federation architectures for developing the trust relationships that enable service federations and service-oriented architectures. Learn to build web applications that participate in SAML federation and single sign-on.