As web services are being used ever more frequently to perform secure transactions, the need for authenticating and protecting the XML data that is transmitted over potentially insecure networks is essential.
With the incorporation of JSR 105 (Java XML Signature API) into JDK 6,
Java programmers now have a standard solution for creating and validating XML signatures. And with the progression of JSR 106 (Java XML Encryption API) through the Java Community Process, a standard solution for XML encryption will soon be available.
This session will describe the two core XML security technologies, XML
Signature and Encryption, and show you how to sign and encrypt data in Java using the JSR 105 and 106 APIs. Simple and more advanced use cases will be presented along with code examples. Debugging tips and common mistakes will also be covered.
The session will also provide an overview and history of the Apache XML Security project, which the implementation of JSR 105 is based on.
Finally, the session will take a look at where XML Security may be headed in the future, and discuss some of the issues that were discussed at the recent W3C workshop on Next Steps for XML Signature and Encryption.
Sean Mullan is a staff engineer working on Java Security at Sun Microsystems. He is the co-specification lead of the XML Digital Signature API (JSR 105) which is now part of JDK 6 and is a committer on the Apache XML Security project. He also participates in the W3C XML Security Specifications Maintenance Working Group. Previously, he was specification lead of the Certification Path API (JSR 55) which was successfully integrated into JDK 1.4. In addition, he focuses on access control, performance, and overall PKI and XML security support in the Java SE platform.
Liberty Alliance ID-WSF 2.0— This session gives an overview of ID-WSF 2.0's layered architecture, focusing in particular on the new-in-version-2.0 People Service and how it allows consumers and organizations to manage social and enterprise applications such as bookmarks, blogging, calendars, e-mail, photo sharing and instant messaging in a federated social network. Learn how ID-WSF's SOAP based invocation framework builds on SAML's foundation to provide identity with privacy for web services.
OpenSSO— This session looks at the progress of OpenSSO over the past two years and gives an overview of its features and functionality, with an emphasis on how you can leverage it and get involved. The OpenSSO project (http://opensso.dev.java.net/) was launched by Sun Microsystems in July 2005 to bring its access control, single sign-on and federation technology to the open source community. Since then, the entire code base of Sun's Access Manager product has been released as open source and work is proceeding on Sun Java System Federated Access Manager 8.0 in the OpenSSO community. Come find out how OpenSSO can work in your identity project.
SAML v2— Discover the basics of single sign-on and how SAML assertions are finding their way into projects like OpenSSO, NetBeans and Glassfish to secure web services. SAML V2.0, approved by OASIS in March 2005, is an XML-based framework for communicating user authentication, entitlement, and attribute information. Beyond defining the industry-standard protocol for cross domain Web single sign-on (SSO), SAML is a keystone of higher level specifications such as Web Services Interoperability Basic Security Profile (WS-I BSP), the Liberty Alliance's Identity Web Service Framework (ID-WSF) and even Microsoft's Cardspace.
Security Sins and their Solutions— The talk covers the most insidious security vulnerabilities in Java Web and EE applications through practical demonstration of how to exploit these vulnerabilities and recommendations on how to prevent them. The threat posed by each vulnerability is explained and strategies for mitigating the flaw are introduced. The talk concludes with a discussion about integrating security at every step of the development life cycle.
