docs.intersystems.com
Home  /  Security Features of InterSystems IRIS  /  Securing Web Services  /  Introduction


Securing Web Services
Introduction
[Back]  [Next] 
InterSystems: The power behind what matters   
Search:  


InterSystems IRIS supports parts of the WS-Security, WS-Policy, WS-SecureConversation, and WS-ReliableMessaging specifications, which describe how to add security to web services and web clients. This chapter summarizes the tools and lists the supported standards. It discusses the following:
If your InterSystems IRIS web client uses a web service that requires authentication, and if you do not want to use the features described in this book, you can use the older WS-Security login feature. See Using the WS-Security Login Feature,” in the book Creating Web Services and Web Clients.
Tools in InterSystems IRIS Relevant to SOAP Security
InterSystems IRIS provides the following tools that are relevant to security for web services and web clients:
You can either use WS-Policy or you can use WS-Security and WS-SecureConversation directly. If you use WS-Policy, the system automatically uses the WS-Security tools as needed. If you use WS-Security or WS-SecureConversation directly, more coding is necessary.
A Brief Look at the WS-Security Header
A SOAP message carries security elements within the WS-Security header element — the <Security> subelement of the SOAP <Header> element. The following example shows some of the possible components:
These elements are as follows:
As shown here, an encrypted key element commonly includes a reference to a binary security token included earlier in the same message, and that token contains information that the recipient can use to decrypt the encrypted key. However, it is possible for <EncryptedKey> to contain the information needed for decryption, rather than having a reference to a token elsewhere in the message. InterSystems IRIS supports multiple options for this.
Similarly, a digital signature commonly consists of two parts: a binary security token that uses an X.509 certificate and a signature element that has a direct reference to that binary security token. (Rather than a binary security token, an alternative is to use a signed SAML assertion with the Holder-of-key method.) It is also possible for the signature to consist solely of the <Signature> element; in this case, the element contains information that enables the recipient to validate the signature. InterSystems IRIS supports multiple options for this as well.
Standards Supported in InterSystems IRIS
This section lists the support details for WS-Security, WS-Policy, WS-SecureConversation, and WS-ReliableMessaging for InterSystems IRIS web services and web clients.
WS-Security Support in InterSystems IRIS
InterSystems IRIS supports the following parts of WS-Security 1.1 created by OASIS (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-pr-SOAPMessageSecurity-01.pdf):
WS-Policy Support in InterSystems IRIS
Both the WS-Policy 1.2 (http://www.w3.org/Submission/WS-Policy/) and the WS-Policy 1.5 (http://www.w3.org/TR/ws-policy) frameworks are supported along with the associated specific policy types:
Note that <PolicyReference> is supported only in two locations: in place of a <Policy> element within a configuration element or as the only child of a <Policy> element.
WS-SecurityPolicy 1.2 is supported as follows. Equivalent parts of WS-SecurityPolicy 1.1 are also supported.
WS-SecureConversation Support in InterSystems IRIS
InterSystems IRIS supports parts of WS-SecureConversation 1.3 (http://docs.oasis-open.org/ws-sx/ws-secureconversation/v1.3/ws-secureconversation.pdf), as follows:
InterSystems IRIS also supports the necessary supporting parts of WS-Trust 1.3 (http://docs.oasis-open.org/ws-sx/ws-trust/v1.3/ws-trust.pdf). Support for WS-Trust is limited to the bindings required by WS-SecureConversation and is not a general implementation.
WS-ReliableMessaging Support in InterSystems IRIS
InterSystems IRIS supports WS-ReliableMessaging 1.1 and 1.2 for synchronous messages over HTTP. Only anonymous acknowledgments in the response message are supported. Because only synchronous messages are supported, no queueing is performed.
See http://docs.oasis-open.org/ws-rx/wsrmp/200702/wsrmp-1.1-spec-os-01.html and http://docs.oasis-open.org/ws-rx/wsrm/200702.