Training Capstone Courseware

Training goals

code: CC-562 | version: v5.0

This advanced course introduces Java developers to key concepts and technology for developing secure web services and securing enterprise software architecture. Though consensus is forming, and standards have largely taken shape, this is still a broad and challenging field. We focus on a few well-defined approaches: XML cryptography, the WS-Security and WS-SecurityPolicy standards, and the Security Assertions Markup Language, or SAML. We also look XACML for authorization policies, and at trust and federation -- not only as envisioned by SAML but also through the WS-Trust and WS-Federation specifications.

These approaches do overlap, and through our primary case studies we present a single, coherent story of assuring confidentiality, integrity and non-repudiation, user authenticity, and proper request authorization with a blend of policy-driven WS-Security, SAML, and even some application-coded digital signature. We also investigate the web-application end of SAML, with an in-depth study of single sign-on and federated identity.

Although for practical purposes this course relies on a specific platform, which is Java EE, the great majority of the course content teaches interoperable specifications, and would be equally useful to developers working on other web-service-capable platforms such as .NET -- or to those who work with multiple platforms, and do need to understand the interoperable pieces in detail but perhaps don't need to delve into implementation strategies. In fact, customizations are available that essentially leave out the Java to stick more strictly to the XML.

Conspect Show list

  1. Chapter 1. Securing the Service-Oriented Enterprise
    • Security for Web Services
    • Threats
    • CIA Goals
    • Solution Levels: W3C, OASIS, Java EE
    • Scenario: Secure Multi-Party Conversation
    • Cryptography
    • WS-Security and WS-SecurityPolicy
    • Scenario: Sharing Security Information
    • SAML and XACML
    • Scenario: Multiple User Realms
    • Scenario: Single Sign-On
    • Technology Stacks: WS-Federation and Liberty Alliance
    • The WS-I Basic Security Profile
  2. Chapter 2. Transport Security
    • Use Case: Secure Transport
    • HTTP Authentication Schemes
    • HTTP BASIC
    • HTTP DIGEST
    • Securing Web-Service URLs
    • HTTPS
    • JAX-WS Support
    • Axis Support
  3. Chapter 3. XML Signature
    • Use Case: Non-Repudiation
    • XML Digital Signature
    • Cryptography Backgrounder
    • Canonical XML
    • Enveloped, Enveloping, and Detached Signatures
    • SignedInfo and References
    • The Java Cryptography Architecture
    • Keystores
    • Why Keys Aren't Enough
    • X.509 Certificates and Certificate Chains
    • The KeyStore API
    • Java XML Digital Signature API
    • Steps to Sign and Verify XML Content
    • JAX-WS Message Handlers
    • Foiling the Man in the Middle
  4. Chapter 4. XML Encryption
    • Use Case: Confidentiality
    • XML Encryption
    • EncryptedData
    • Element vs. Content Encryption
    • Key Wrapping
    • The Java Cryptography Extensions
    • Apache XML Security
    • Steps to Encrypt and Decrypt XML Content
    • Choosing Algorithms and Key Sizes
  5. Chapter 5. WS-Security
    • Use Case: Secure Message Exchange
    • Use Case: User Login
    • The WS-Security Specifications
    • Security Token Types
    • Timestamps
    • Username Tokens
    • Signature and Encryption
    • Tools for WS-Security
    • XWSS and JAAS
    • Foiling Replay Attacks
  6. Chapter 6. WS-SecurityPolicy
    • Use Case: Sharing Metadata
    • WS-Policy
    • Normalized vs. Compact Form
    • Policy Attachment
    • Policy Scopes
    • WS-SecurityPolicy
    • Protection Assertions
    • Token Assertions
    • Supporting and Endorsing Tokens
    • Bindings
    • Metro and WSIT
    • Implementing Callbacks
    • Integrating Security Frameworks
  7. Chapter 7. Introduction to SAML
    • History of SAML
    • Assertions
    • Protocol
    • Bindings
    • Profiles
    • Using OpenSAML
    • SAML and Web Services
  8. Chapter 8. SAML Assertions
    • Use Case: "Vouching for" a User
    • The Assertions Schema
    • Extensibility
    • Assertions and Subjects
    • NameID Types
    • Conditions
    • Subject Confirmation
    • Confirmation Methods
    • AuthntStatement
    • Authentication Contexts
    • AttributeStatement
    • Attribute Profiles
    • AuthzDecisionStatements
    • Actions and Evidence
    • WS-Security and SAML Tokens
    • OpenSAML Assertions Model
    • Creating XML Objects
    • Marshalling and Unmarshalling
  9. Chapter 9. SAML Protocol
    • Use Case: Back-Channel Queries
    • Requests, Queries, and Responses
    • Status and StatusCode
    • AuthnQuery
    • AttributeQuery
    • AuthzDecisionQuery
    • Other Request and Response Types
    • OpenSAML Protocol Model
    • SAML and XML Signature
    • SAML and XML Encryption
  10. Chapter 10. XACML
    • Use Case: Back-Channel Authorization
    • Use Case: Sharing Authorization Policies
    • Policies, Policy Sets, and Targets
    • Rules
    • Combining Algorithms
    • Policy Context
    • Request and Response Types
    • The SAML Profile of XACML
    • Authorization Decisions via XACML
  11. Chapter 11. Securing Federated Services
    • Publish, Find, Bind ... Execute!
    • UDDI
    • WS-BPEL
    • The Trust Problem
    • WS-Trust
    • The Security Token Service
    • Messaging Model: RST and RSTR
    • Derived Keys
    • WS-SecureConversation
    • Secure Conversation Metrics
    • WS-Federation
    • Value Proposition
  12. Chapter 12. SAML Bindings
    • Use Case: Speaking "Through" the Browser
    • The SOAP Binding
    • SAML Over HTTP
    • The Browser as Messenger
    • The Redirect, POST, and Artifact Bindings
    • The PAOS Binding
    • The URI Binding
  13. Chapter 13. Federated Identity
    • What is Federation?
    • Problems for Identity Federation
    • SAML 2.0 Federations
    • Single Sign-On
    • Account Linking and Persistent Pseudonyms
    • Transient Pseudonyms
    • Name ID Mapping
    • Federation Termination
    • OpenSSO
    • Fedlets

Appendix A. Learning Resources

Appendix B. Web-Service Security Prefixes and Namespaces

Download conspect training as PDF

Additional information

Prerequisites
  • Solid Java programming experience is essential - Course 103 provides excellent preparation.
  • Experience developing Java Web services is likewise a hard requirement: labs will assume understanding of both SAAJ and JAX-WS - Course 561 is strongly recommended.
  • Students are expected to be able to read and write XML fluently, and have some familiarity with XML Schema. Consider courses 501 and 517.
Difficulty level
Duration 5 days
Certificate

The participants will obtain certificates signed by Capstone Courseware.
Trainer

Authorized Capstone Courseware Trainer.

Other training Capstone Courseware | XML and Web Services

Capstone Courseware show more courses
Training thematically related

Security

Security | Aruba

Network Security | Broadcom

Java Programming | Capstone Courseware

Java EE | Capstone Courseware

Open-Source Frameworks | Capstone Courseware

Core Training | Check Point

Infinity Specializations | Check Point

ICS/OT security | Compendium CE

Security+ | CompTIA

CySA+ | CompTIA

PenTest+ | CompTIA

SecurityX (formerly CASP+) | CompTIA

Certified Ethical Hacker | EC-Council

Advanced WAF (AWAF) | F5

Access Policy Manager (APM) | F5

Advanced Firewall Manager (AFM) | F5

Fortinet Certified Professional (FCP) | Fortinet

Fortinet Certified Solution Specialist (FCSS) | Fortinet

Cyber security | ISC2

Microsoft 365 | Microsoft

Security | Microsoft

Pen Testing & Ethical Hacking | Mile2

Information Systems Management | Mile2

Incident Handling | Mile2

Web Application Security | Mile2

Cloud Security | Mile2

Forensics | Mile2

Disaster Recovery | Mile2

Healthcare | Mile2

Risk Management | Mile2

Auditing | Mile2

Cyber Range | Mile2

Security Awareness | Mile2

Cyber Threat Analyst | Mile2

Network Security | Palo Alto Networks

SASE | Palo Alto Networks

Security Operations | Palo Alto Networks

ISO/IEC 27001 Information Security Management Systems | PECB®

LinkProof | Radware

DefensePro | Radware

AppDirector | Radware

Alteon | Radware

Fundamentals | SCADEMY

C# | SCADEMY

C/C++ | SCADEMY

Java | SCADEMY

PHP | SCADEMY

Python | SCADEMY

WEB | SCADEMY

Cloud | SCADEMY

Cryptography | SCADEMY

Finance | SCADEMY

Healthcare | SCADEMY

Telecome | SCADEMY

Software design | SCADEMY

Software testing | SCADEMY

Dark Web | SECO-Institute

Cyber Defence | SECO-Institute

Crisis Management | SECO-Institute

Data Protection | SECO-Institute

Kubernetes | SUSE

Linux | The Linux Foundation

E-learning | The Linux Foundation

Exam | The Linux Foundation

Java

Java Programming | Capstone Courseware

Java EE | Capstone Courseware

Open-Source Frameworks | Capstone Courseware

XML and Web Services | Capstone Courseware

Java | SCADEMY

Programming

Java Programming | Capstone Courseware

Java EE | Capstone Courseware

Open-Source Frameworks | Capstone Courseware

Databases | Capstone Courseware

XML and Web Services | Capstone Courseware

Application modernization | Google Cloud

AI and Machine Learning | Google Cloud

FinOps | Google Cloud

Azure | Microsoft

Dynamics 365 | Microsoft

Visual Studio | Microsoft

Python | Python Academy

Django | Python Academy

On Demand | Python Academy

Fundamentals | SCADEMY

C# | SCADEMY

C/C++ | SCADEMY

Java | SCADEMY

PHP | SCADEMY

Python | SCADEMY

WEB | SCADEMY

Cloud | SCADEMY

Cryptography | SCADEMY

Finance | SCADEMY

Healthcare | SCADEMY

Telecome | SCADEMY

Software design | SCADEMY

Software testing | SCADEMY

Linux | The Linux Foundation

Embedded Linux | The Linux Foundation

E-learning | The Linux Foundation

Exam | The Linux Foundation

Contact form

Please fill form below to obtain more info about this training.






* Fields marked with (*) are required !!!

Information on data processing by Compendium - Centrum Edukacyjne Spółka z o.o.

TRAINING PRICE FROM 1100 EUR

  • In order to propose a date for this training, please contact the Sales Department

Upcoming Capstone Courseware training

Training schedule
Capstone Courseware