Securing Java Web Services Training in Lansing

Enroll in or hire us to teach our Securing Java Web Services class in Lansing, Michigan by calling us @303.377.6176. Like all HSG classes, Securing Java Web Services may be offered either onsite or via instructor led virtual training. Consider looking at our public training schedule to see if it is scheduled: Public Training Classes
Provided there are enough attendees, Securing Java Web Services may be taught at one of our local training facilities.

Answers to Popular Questions:

Yes, this class can be tailored to meet your specific training needs.
Yes, we provide consulting services.
Yes, group discounts are provided.

Course Description

This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications. These approaches do overlap, and through our primary case studies we present a single, coherent story of assuring confidentiality, integrity and non-repudiation, user authenticity, and proper request authorization with a blend of policy-driven WS-Security, SAML, and even some application-coded digital signature. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity. Although for practical purposes this course relies on a specific platform, which is Java EE, the great majority of the course content teaches interoperable specifications, and would be equally useful to developers working on other web-service-capable platforms such as .NET -- or to those who work with multiple platforms, and do need to understand the interoperable pieces in detail but perhaps don't need to delve into implementation strategies. In fact, customizations are available that essentially leave out the Java to stick more strictly to the XML.
Course Length: 5 Days
Course Tuition: $2090 (US)


Solid Java programming experience is essential.

Course Outline


Chapter 1. Securing the Service-Oriented Enterprise
Security for Web Services
CIA Goals
Solution Levels: W3C, OASIS, Java EE
Scenario: Secure Multi-Party Conversation
WS-Security and WS-SecurityPolicy
Scenario: Sharing Security Information
Scenario: Multiple User Realms
Scenario: Single Sign-On
Technology Stacks: WS-Federation and Liberty Alliance
The WS-I Basic Security Profile

Chapter 2. Transport Security
Use Case: Secure Transport
HTTP Authentication Schemes
Securing Web-Service URLs
JAX-WS Support
Axis Support

Chapter 3. XML Signature
Use Case: Non-Repudiation
XML Digital Signature
Cryptography Backgrounder
Canonical XML
Enveloped, Enveloping, and Detached Signatures
SignedInfo and References
The Java Cryptography Architecture
Why Keys Aren't Enough
X.509 Certificates and Certificate Chains
The KeyStore API
Java XML Digital Signature API
Steps to Sign and Verify XML Content
JAX-WS Message Handlers
Foiling the Man in the Middle

Chapter 4. XML Encryption
Use Case: Confidentiality
XML Encryption
Element vs. Content Encryption
Key Wrapping
The Java Cryptography Extensions
Apache XML Security
Steps to Encrypt and Decrypt XML Content
Choosing Algorithms and Key Sizes

Chapter 5. WS-Security
Use Case: Secure Message Exchange
Use Case: User Login
The WS-Security Specifications
Security Token Types
Username Tokens
Signature and Encryption
Tools for WS-Security
Foiling Replay Attacks

Chapter 6. WS-SecurityPolicy
Use Case: Sharing Metadata
Normalized vs. Compact Form
Policy Attachment
Policy Scopes
Protection Assertions
Token Assertions
Supporting and Endorsing Tokens
Metro and WSIT
Implementing Callbacks
Integrating Security Frameworks

Chapter 7. Introduction to SAML
History of SAML
Using OpenSAML
SAML and Web Services

Chapter 8. SAML Assertions
Use Case: "Vouching for" a User
The Assertions Schema
Assertions and Subjects
NameID Types
Subject Confirmation
Confirmation Methods
Authentication Contexts
Attribute Profiles
Actions and Evidence
WS-Security and SAML Tokens
OpenSAML Assertions Model
Creating XML Objects
Marshalling and Unmarshalling

Chapter 9. SAML Protocol
Use Case: Back-Channel Queries
Requests, Queries, and Responses
Status and StatusCode
Other Request and Response Types
OpenSAML Protocol Model
SAML and XML Signature
SAML and XML Encryption

Chapter 10. XACML
Use Case: Back-Channel Authorization
Use Case: Sharing Authorization Policies
Policies, Policy Sets, and Targets
Combining Algorithms
Policy Context
Request and Response Types
The SAML Profile of XACML
Authorization Decisions via XACML

Chapter 11. Securing Federated Services
Publish, Find, Bind ... Execute!
The Trust Problem
The Security Token Service
Messaging Model: RST and RSTR
Derived Keys
Secure Conversation Metrics
Value Proposition

Chapter 12. SAML Bindings
Use Case: Speaking "Through" the Browser
The SOAP Binding
The Browser as Messenger
The Redirect, POST, and Artifact Bindings
The PAOS Binding
The URI Binding

Chapter 13. Federated Identity
What is Federation?
Problems for Identity Federation
SAML 2.0 Federations
Single Sign-On
Account Linking and Persistent Pseudonyms
Transient Pseudonyms
Name ID Mapping
Federation Termination

Appendix A. Learning Resources
Appendix B. Web-Service Security Prefixes and Namespaces

Course Directory [training on all levels]

Upcoming Classes
Gain insight and ideas from students with different perspectives and experiences.

Interesting Reads Take a class with us and receive a book of your choosing for 50% off MSRP.