Web Services Security Training

Web services security training teaches developers both web service security implementation and web service security best practices. As part of this, developers learn how to assess the security threats to their services and counter these threats with appropriate security technologies. The class covers the full range of technologies you can use for securing web services, starting with security basics and TLS/SSL secure transports before moving on to the whole gamut of WS-* security standards. Optional modules cover specific technologies in greater depth.

If you're using REST-like web services and not interested in WS-* technologies you can also choose a shorter version of the training that focuses on basic encryption technologies and transport layer security.

Depending on the optional modules chosen for the training, the full course takes 3-4 days. In-class assignments are normally supplied with both Apache Maven build files and Eclipse project files, and Eclipse is used for coding demonstrations. Apache Tomcat is normally used for service deployment. SOAP security assignments are done on the powerful and versatile Apache CXF web services stack, using both JAX-WS standard techniques and CXF-specific extensions (including the latest CXF 3.0 enhancements).

Optimum class size is 6-12 developers, though somewhat larger numbers can be accommodated with pair programming.

Course Objectives

  • Understand the principles of modern encryption technologies
  • Learn how to create and work with keys and certificates
  • Understand how TLS/SSL secure transports work, and how to configure and use them
  • Learn how WS-Security works, and how to configure it with WS-SecurityPolicy
  • Learn how to use WS-Trust with SAML identity management and WS-Federation
  • Learn the performance impact of security, and how WS-SecureConversation can help
  • Learn how to combine WS-ReliableMessaging with WS-Security for reliable secure exchanges
  • Apply all forms of security through in-class assignments using JAX-WS and Apache CXF
  • Understand the range of security threats and the web services security best practices for countering them

Attainment of course objectives is measured by performance on in-class assignments and snap quizes for each module. Certificates of completion are available for attendees who demonstrate their grasp of the material and ability to apply it to practical problems.

Course Prerequisites

  • Intermediate Java programming experience
  • Basic knowledge of web services (can be covered in class if appropriate)

Course Outline

Part I - Basic principles

  1. What constitutes a security threat?
  2. Symmetric and asymmetric encryption:
    1. Symmetric encryption algorithms
    2. Stream ciphers and chaining modes
    3. Asymmetric encryption algorithms
  3. Signing and certificates:
    1. Message digests
    2. Signing digests
    3. Certificates and chains of trust
  4. Key exchange algorithms (Diffie-Hellman)
  5. Working with keystores/truststores


  1. Symmetric encryption using a secret key
  2. Generating asymmetric encryption key pairs and self-signed certificates
  3. Asymmetric encryption for secret key exchange
  4. Diffie-Hellman key exchange

Part II - Secure transports

  1. How TLS/SSL transport security works
  2. Configuring and using basic TLS:
    1. Controlling certificates and verification
    2. Troubleshooting TLS connections
    3. Controlling protocols and algorithms
  3. TLS with client certificates
  4. TLS strengths and weaknesses


  1. Enabling TLS for web browser client
  2. Using TLS for Java client
  3. Implementing dual-certificate TLS
  4. Controlling TLS versions and cipher suites

Part III - Certificate authorities (optional)

  1. Trusted certificate authorities
  2. Man-in-the-middle attacks:
    1. Intermediaries can break security
    2. Ways and means of getting in
    3. Blocking falsified certificates
  3. Running your own certificate authority:
    1. Best practices for algorithms and key lengths
    2. Managing certificate creation
    3. Handling certificate revocations
  4. EJBCA enterprise certificate authority


  1. Using shared certificate authority for class
  2. Configuring certificate revocation handling

Part IV - XML encryption and signing (optional)

  1. XML encryption standard
  2. XML signature standard:
    1. The role of canonicalization
    2. References and signatures
  3. Using XML encryption and signature directly
  4. XML encryption improvements
  5. XML Key Management Specification (XKMS)


  1. Encrypting XML content
  2. Signing and verifying XML content
  3. Using XKMS public keys

Part V - Introduction to WS-Security

  1. How WS-Security builds on XML encryption and signature
  2. Key and certificate handling in WS-Security
  3. Encryption algorithms
  4. WS-Security token profiles
  5. Using WS-Security directly
  6. WS-I Basic Security Profile


  1. Encrypting web service messages
  2. Signing web service messages

Part VI - Introduction to WS-Policy and WS-SecurityPolicy

  1. Basic WS-Policy structure
  2. WS-Security policy introduction:
    1. UsernameToken for identity information
    2. AsymmetricBinding for asymmetric encryption
    3. Specifying components to be encrypted and/or signed
    4. Understanding asymmetric key and certificate usage
    5. SymmetricBinding for symmetric encryption
    6. Algorithm suites
  3. Attaching policies in WSDL:
    1. Embedding policies in WSDL
    2. Policy references and scopes
    3. Sharing policies across an enterprise


  1. Adding UsernameToken to service
  2. Adding signing and encryption to service
  3. Applying different policies to different operations
  4. Class-wide standard policies

Part VII - WS-Trust and identity management (optional)

  1. Issues of authentication and authorization
  2. Using SAML identity management:
    1. SAML token structure
    2. Principles of WS-Trust
    3. WS-Trust client configuration
    4. Using SAML tokens with WS-Security
  3. Using WS-Federation for identity management


  1. Obtaining a SAML token directly
  2. Securing a web service with SAML tokens
  3. Using WS-Federation single sign-on

Part VIII - WS-SecureConversation

  1. Why secure conversation?
    1. Costs of WS-Security asymmetric encryption
    2. Authentication and authorization handling
  2. Building WS-SecureConversation on WS-Trust:
    1. WS-SecureConversation STS
    2. Security context usage
  3. Performance impact of security:
    1. Comparing different approaches
    2. Streaming security benefits
    3. Effect of algorithm choices


  1. Implement WS-SecureConversation with UsernameToken
  2. Convert to WS-SecureConversation with SAML token

Part IX - WS-ReliableMessaging and security (optional)

  1. WS-ReliableMessaging basics:
    1. Reliable and/or in-order delivery
    2. Sequences and acknowledgements
    3. WS-ReliableMessaging protocol messages
    4. Limitiations of WS-ReliableMessaging
  2. WS-I Reliable Secure Profile
  3. WS-ReliableMessaging over WS-SecureConversation
  4. WS-MakeConnection for restricted clients


  1. Implement reliable messaging for client and server
  2. Secure exchanges with WS-SecureConversation

Part X - Web service security best practices

  1. Understanding the threats:
    1. Review of threat types
    2. Application to web services
    3. Security approaches to counter threats
  2. Planning a security architecture
  3. Designing security for your services:
    1. Controlling transport layer security
    2. Granular application of WS-Security
    3. Separate endpoints for different security scenarios
    4. Handling authentication and authorization
  4. Security with ESB architectures


  1. Analyze and discuss supplied scenarios