CPE4004 Lecture 9

Web Services, SOAP, Security

What we have now? Web site – web apps

SOAP
JAX-WS
XML-Object mapping
Security

Lecture 9- Web Services, SOAP,

4/12/2006 security 1
Web application vs Web site
„ Web site
„ Static content
„ No business logic
„ Mostly dealing with
presentation issues
„ Web application: modelling
focus is on capturing business
dynamics
Implements business logic
„
„ Changes the state of the
business objects
Needs clear separation of
„
endpoint implementation from
presentation
„ Dynamic content is delivered
Lecture 9- Web Services, SOAP,
4/12/2006
„ Methodology to develop web
apps:
„ Relationship Management
Methodology is often used
„ Aims at reducing development
and maintenance cost of such
sites with intensive DB driven
processing over the Internet
„ Always think about security
Web service is not a web
„
application or web site
„ It uses “web” components to
manipulate views on data
„ Security is important
„ Carefully design
„ Service interface
„ Interaction - conversation
„ Endpoint
security 2
UML provides stereotypes
„ Client side of a web page
„ With some JavaScript or scriplets
„ HTML formatted document
„ This is a class with additional dynamic behaviour
„ Use stereoptype to model client page
„ <<clientPage>>
„ Boundary class rendered by a browser
„ HTML form
„ Class stereotyped as a <<form>>
„ Collection of input fields that are part of a client page
„ Relationships: link, build (page), redirect, forward, etc.
„ Server side of a web page
„ The behaviour of server side page is different than the client side page
„ It is a class too
„ It is created by some server programs – servlets
„ Dynamic content
„ Use stereoptype to model it - <<ServerPage>>

Lecture 9- Web Services, SOAP,

4/12/2006 security 3
Web Service revisited
„ Web Service is its Contract.
„ In this contract we define:
„ the name, and other
properties of the service,
„ the operations it supports,
and
„ the messages accepted and
sent by the operations.
„ Together with the Binding
of the service,
„ this makes an Endpoint,
i.e. something we can point
a client at.
Lecture 9- Web Services, SOAP,
4/12/2006
„ For SOAP services, the
contract is defined in a
WSDL definition:
„ It refers to a XSD schema
that defines the messages
of the operations.
„ The most common way to
create a WSDL document is
to generate it by the SOAP
stack.
„ This is called contract-last
development
„ you start with the WSDL
and schema, and create
server-side stubs afterwards
„ contract-first development
security 4
Web Service characteristics
„ Components and platforms
„ Based on XML documents passed between the client and
server
„ Mapped to programs (java classes), objects or databases
„ XML document is passed to the other application as a
message
„ Format of this message is defined by some standard
„ Message must be validated against some business rules (e.g. in
xsd)
„ Web service is exposed as an interface and provides
„ Gateway to the back-end application which is running some DB
„ Different platforms for implementation
„ Different mechanism and vendors
„ JAXB, JAXP, JAX-WS, AXIS instant WS etc.

Lecture 9- Web Services, SOAP,

4/12/2006 security 5
Java SOAP stack

„ JAX-RPC and SOAP

„ A valid SOAP Message is a well-formed XML document
„ It defines a set of rules to be used for simple one-way messaging but
is particularly useful for Remote Procedure Call) request-response
dialogues.
„ it is not tied to any particular operating system or the clients and
servers or any language as long as they can formulate and understand
SOAP
„ It is an important building block for developing distributed applications
that uses web services over an intranet or the internet.

Lecture 9- Web Services, SOAP,

4/12/2006 security 6
 SOAP in Action
//WS call: „ The SOAP developer's approach to
String[] getEmployeeDetails ( int such a problem is to encapsulate
employeeNum); service in a method in C or VB or
Java etc, then set up a process that
listens for requests to the service;
//Return message contains: „ such requests are in SOAP format
„ contain the request for service and
EmployeeDetails { parameters.
„ TempPhoneNo can be repeated –
String empName; we do not know how many of them
String phoneNO; are stored
String TempPhoneNO;} „ What about just to call “stored
//where there can be many of these procedure” on a DB?
„ Complex data cannot be used as
parameters or returns from stored
TempPhoneNo { procedures
int startDate; „ We cannot use JDBC since we do
int endDate; not know how many TempPhoneNo
records exist.
String phoneNO;
}
Lecture 9- Web Services, SOAP,
4/12/2006 security 7
 SOAP
servlet

Lecture 9- Web Services, SOAP,

4/12/2006 security 8
 SOAP message syntax: valid SOAP Message is well-formed XML document
Composed of the following elements:
XML declaration
SOAP Envelope
SOAP Header
SOAP Body
Request
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<SOAP-ENV:Envelope
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/1999/XMLSchema">

<SOAP-ENV:Body> Method tag

<ns1:getEmployeeDetails
xmlns:ns1="urn:MySoapServices"> Service name

<param1 xsi:type="xsd:int">1016577</param1> Parameter tag

</ns1:getEmployeeDetails>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Lecture 9- Web Services, SOAP,

4/12/2006 security 9
Response
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<ns1:getEmployeeDetailsResponse
xmlns:ns1="urn:MySoapServices"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<return
xmlns:ns2="http://schemas.xmlsoap.org/soap/encoding/"
xsi:type="ns2:Array"
ns2:arrayType="xsd:string[2]"> Array structure
<item xsi:type="xsd:string">My name</item>
<item xsi:type="xsd:string">+1-212-7370194</item>
</return>
</ns1:getEmployeeDetailsResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

4/12/2006 Lecture 9- Web Services, SOAP, 10

security
 //nested alternate temp phone numbers are added in this message:
<SOAP-ENV:Body>
<ns1:getEmployeeDetailsResponse
xmlns:ns1="urn:MySoapServices"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
//-----------------------------------------------------------------------------
<return xsi:type="ns1:EmployeeContactDetail">
<employeeName xsi:type="xsd:string">Bill XXXXXX</employeeName>
<phoneNumber xsi:type="xsd:string">+1-212-7370194</phoneNumber>
<tempPhoneNumber
xmlns:ns2="http://schemas.xmlsoap.org/soap/encoding/"
xsi:type="ns2:Array"
ns2:arrayType="ns1:TemporaryPhoneNumber[3]">
<item xsi:type="ns1:TemporaryPhoneNumber">
<startDate xsi:type="xsd:int">37060</startDate>
<endDate xsi:type="xsd:int">37064</endDate>
<phoneNumber xsi:type="xsd:string">+1-515-2887505</phoneNumber>
</item>
<item xsi:type="ns1:TemporaryPhoneNumber">
<startDate xsi:type="xsd:int">37074</startDate>
<endDate xsi:type="xsd:int">37078</endDate>
<phoneNumber xsi:type="xsd:string">+1-516-2890033</phoneNumber>
</item>
<item xsi:type="ns1:TemporaryPhoneNumber">
<startDate xsi:type="xsd:int">37088</startDate>
<endDate xsi:type="xsd:int">37092</endDate>
<phoneNumber xsi:type="xsd:string">+1-212-7376609</phoneNumber>
</item>
</tempPhoneNumber>
</return>
</ns1:getEmployeeDetailsResponse>
4/12/2006 Lecture 9- Web Services, SOAP, 11
security
Validation and namespaces
„ Validation: „ Namespaces
„ Message is received in „ Each node in XML message can
the serialized form be attached to the namespace
<ns1:getEmployeeDetailsResponse
„ There is no validation xmlns:ns1="urn:MySoapServices"
performed: „ This concept does not exist in
„ How many times the Java
TemporaryPhoneNumb „ Mapping is done from a
er has been encoded. namespace to a Java package
„ Extra code has to be „ This often means that either
written to validate the operation or its parameters are
number of repetitions guessed rather than accurately
mapped
„ The validation will
consume time and
memory – security hole
Lecture 9- Web Services, SOAP,
4/12/2006 security 12
Binding XML elements to java
classes
„ Java inheritance „ In xsd schema:
<simpleType name=“AusPostcode">
„ We can change some
<restriction base="xsd:string">
existing semantics with <pattern value="[A-Z]{3}\d \d[1-
inheritance and the 9]{4}"/>
subclass would allow to </restriction>
</simpleType>
„ Add methods
„ We can use restrictions and
„ Add attributes patterns to specify how the
data may look like;
„ Java derives new types „ This information is lost when
by extending the the Java classes are created:
capabilities of parent Simple class as
String
classes
„

„ Restrictions has to be put in

using some additional coding

Lecture 9- Web Services, SOAP,

4/12/2006 security 13
Mapping XML names to Java
identifiers
„ Not all XML names can
be used as Java
identifiers:
„ XML names can use even
“.”, or “String”
„ This is not allowed in
Java
„ We need to perform non-
trivial mapping to
accommodate the
greater range of XML
names
Lecture 9- Web Services, SOAP,
4/12/2006
„ Package names are
often derived from the
namespace URL
„ The problem:
„ With each new version of
Java these mappings
must be revisited
„ Possible changes made
to the validation and
identifiers mappings
security 14
 Restrictions on values -
example
<xs:element name="age">
<xs:simpleType>
<xs:restriction base="xs:integer">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:element>

There is no simple mapping into Java classes

Lecture 9- Web Services, SOAP,

4/12/2006 security 15
 Enumerations
<xs:element name="car">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Audi"/>
<xs:enumeration value="Golf"/>
<xs:enumeration value="BMW"/>
<xs:enumeration value=null/>
</xs:restriction>
</xs:simpleType>
</xs:element>

1) The value should not be a reserved word - null

2) Java 5 generates a set of identifiers, one for each value in
enumeration set showing the position in the set. Therefore, the
value identifiers are lost. The code has to be written to detect
any changes in position and value identifiers

Lecture 9- Web Services, SOAP,

4/12/2006 security 16
Unportable types
„ Some java types are unportable
„ java.util.Hashtable
„ Some type may have different meaning
in other languages:
„ java.util.Calender
„ Could be interpreted in .NET as date/time
„ Should be sent as xsd:dateTime
„ What happens if client and server are in
different time zone?
Lecture 9- Web Services, SOAP,
4/12/2006 security 17
Serializing objects
„ XML is hierarchical data
structure
„ Typically trees or lists
„ Java classes may form
cyclic graph of
references
„ Mapping into XML
requires the cycle to be
recognized and treated
accordingly by the
mapper

Lecture 9- Web Services, SOAP,

4/12/2006 security 18
Fault processing
„ The Web Service protocols implies that the application is making calls across
network boundaries.
„ As such, you must be prepared to handle any network-related errors that occur.
„ As the Web Service interface is based on a Java remote interface,
„ any client code must catch and handle java.rmi.RemoteException.
„ A RemoteException will be generated in response to any unhandled runtime exceptions that
occur. Such exceptions are mapped to SOAP fault elements that are included in the body of the
response from the server.
„ Domain exception refer to for example, InvalidProductCodeException
„ Should appear on your Web Service remote interfaces.
„ These exceptions are defined in the service WSDL as fault elements.
„ Such fault elements are marshaled back to the client in the SOAP message that forms
the response from the server.
„ For a Java client, the exception will be regenerated in its original form and rethrown.
„ A Java exception is a complex type, so the JAX-RPC runtime must be able to marshal
and unmarshal at least some of its contents (such as its message). Therefore,
exceptions must conform to certain rules to be successfully passed. These rules are
similar to those for JavaBeans and are defined in section 5 of the JAX-RPC
specification (JSR101).

Lecture 9- Web Services, SOAP,

4/12/2006 security 19
 Fault processing
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
soap:encodingStyle="http://schemas.xmlsoap.org/soap/
encoding/">
<soap:Body>
<soap:Fault>
<faultcode>soap:MustUnderstand</faultcode>
<faultstring>Mandatory Header error</faultstring>
<faultactor>http://www.wrox.com/heroes/endpoint.asp</faultactor>
<detail>
<w:source xmlns:w="http://www.wrox.com/">
<module>endpoint.asp</module>
<line>203</line>
</w:source>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>

Lecture 9- Web Services, SOAP,

4/12/2006 security 20
SOAP Fault message structure
„ faultcode element
„ VersionMismatch – this value
indicates that the namespace of the
SOAP Envelope element was not
http://schemas.xmlsoap.org/soap/e
nvelope/.
„ MustUnderstand – this value is
returned in a faultcode element
when the endpoint encounters a
mandatory Header element entry
that it does not recognize.
„ Client – this value should be used
in the faultcode element when a
problem is found in the message
that was received.
„ Server – in contrast to the Client
fault code, Server indicates that a
problem occurred during processing
that was not directly related to the
content of the message.
„ An example of this type of fault
would be that the database used by
the endpoint to return information is
down. Lecture 9- Web Services, SOAP,
4/12/2006 security
„ faultstring element
„ contains a string value that briefly
describes the fault that occurred in a way
that would make sense if it were displayed
to the user in an error dialog. That is not
to suggest that it could not be technical in
nature.
„ faultactor element
„ where the error occurred
„ This is especially true in systems that
involve SOAP intermediaries. If a message
must pass through a dozen endpoints
before it can reach its final destination for
payload processing, the developer needs
to know at what point on the message
routing chain an error occurred.
„ The faultactor element is a placeholder for
that type of information. The faultactor
element contains a URI that identifies the
endpoint where the fault originated.
„ detail element
„ additional information relevant to the fault
21
Fault processing – JAX-RPC.
„ In the SOAP Web services
„ a fault flows from the server to the client in the form of SOAP fault.
„ A SOAP fault consists of
„ faultcode,
„ faultstring, and
„ optional fault actor and detail.
„ The JAX-RPC specification defines various rules about how to map from a Java
exception to a SOAP fault (server side) and from the SOAP fault back to the
Java exception (client side).
„ There are four types of exceptions that can be thrown from the server:
„ java.rmi.RemoteException
„ java.lang.RuntimeException
„ javax.xml.rpc.soap.SOAPFaultException (a special, subclass of RuntimeException)
„ a checked, user-defined exception (mapped from the WSDL's wsdl:fault construct)
„ Client side:
„ java.rmi.RemoteException
„ javax.xml.rpc.soap.SOAPFaultException
„ a checked, user-defined exception

Lecture 9- Web Services, SOAP,

4/12/2006 security 22
JAX-RPC RemoteException
„ JAX-RPC requires that all remote methods in a service endpoint
interface (SEI) throw the standard
„ java.rmi.RemoteException:
„ exceptions which arise from communications or runtime difficulties to
propagate back to the caller.
„ there is no portable means to send specific subclasses of
RemoteException.
„ The application itself could also throw a RemoteException.
„ Again, no portable means of sending specific
RemoteExceptions, the client cannot catch specific
RemoteExceptions.
„ For a given SOAP fault returned from the server, different client-
side JAX-RPC runtimes may have different interpretations and
generate different RemoteExceptions.
„ Interoperability problem
„ the application should avoid throwing RemoteExceptions.

Lecture 9- Web Services, SOAP,

4/12/2006 security 23
SOAPFaultException
„ Special RuntimeException:
javax.xml.rpc.soap.SOAPFaultException.
„ SOAPFaultException is more descriptive than a
RuntimeException and dictates the exact SOAP
fault message which flows to the client.
„ It means that whoever throws this fault, whether the
runtime or the application, controls the SOAP fault response.
„ Therefore, how to map the SOAP fault to an appropriate
exception really depends on the content of
SOAPFaultException, it may be mapped to
SOAPFaultException, RemoteException or even a
checked user exception.
„ SOAPFaultException is often used by JAX-RPC handlers. A
JAX-RPC application itself normally should avoid throwing the
SOAPFaultException.
Lecture 9- Web Services, SOAP,
4/12/2006 security 24
RuntimeException
„ When a problem occurs in a server-side JAX-RPC
runtime which results in a RuntimeException
„ (for example, NullPointerException),
„ that exception will propagate back to the client,
„ but it will do so as a SOAP fault.
„ The client runtime will map SOAP fault to either
„ RemoteException or
„ SOAPFaultException.
„ Therefore, a service endpoint should not throw a
RuntimeException expecting the client to always catch
that RuntimeException because the client may receive a
RemoteException instead.

Lecture 9- Web Services, SOAP,

4/12/2006 security 25
WSDL Fault message
„ this message is referenced by wsdl:fault
„ only a single message part is allowed
„ it could refer to a simple type or a complex type.
„ If the part element has a type attribute, we could tell
„ simple (for example, xsd:int, xsd:string, etc.) or
„ complex.
„ If the part element has an element attribute, then you
have to step to the element to see whether the type is
simple or complex.
„ This type of mapping is more complex – should be handled
during the analysis

Lecture 9- Web Services, SOAP,

4/12/2006 security 26
Transfer of large files and
portability
„ The problems with
large files
„ Multithreading can keep
GUI responsive
„ However, progress bar
would be difficult to code
in multithreaded
environment
Lecture 9- Web Services, SOAP,
4/12/2006
„ Portability
„ It is known after the
deployment
„ No warnings are issued
prior deployment - eg.
IDL compile errors (there
is no IDL)
„ The classes often are
changed, the changes
may not be reflected in
WSDL
„ Then the service may
perform different
functions than the client
expects
security 27
Security problems
„ WS are said to be
hackers paradise
„ Characteristics of
threats:
„ Actor
„ Source of attack
„ Input
„ XML documents
„ Output
„ Component
attacked
Lecture 9- Web Services, SOAP,
4/12/2006 security 28
XML/SOAP manipulation
„ Coercive parsing
„ Refers to a number of xsd schemas,
„ They often point to some
repositories
„ XML messages can be made too
difficult to parse, parsing consumes
too much of memory and time
ÆDos
„ Malicious mobile code can be
inserted
„ Blind XPath injection attack
„ Allows to query an XML document
„ string(//user[name/text()=‘
jjj’ and
paasword/text()=‘hhh’]/acco
unt/text())
„ If(account==“”{“not found}
„ Else{{“all fine”}
„ Inject user name as
1=1 or ‘’=‘
„
„ You get the first account
number
Lecture 9- Web Services, SOAP,
4/12/2006
„ Jumbo payloads
„ ÆDoS
„ Recursive elements in the XML doc also
„ Entity expansion attacks
„ Recursive entity declarations in XML doc
header and the rest of the documents
refers to them
„ ÆDoS
„ Long element names
„ ÆDoS
XML flood – many messages per/sec
„
„ Entities are referring to the file
system
„ Reference is expanded during processing
– open door to access repositories
„ Parameter tempering
„ Instructions on how to use parameters are
in WSDL
„ Attacker can try to use special characters
to extract information
„ Attacker can embed command line that
creates a command shell and executes
security 29
XML/SOAP manipulation cont.
„ Schema poisoning
„ xsd schema provides the
information of how to process the
XML docs
„ Schema can be compromised or
even replaced in its location
„ The location can be read from the
SOAP message
„ WSDL scanning
„ It allows the attacker to guess other
“unexposed” methods
„ Exposed method: getQuote()
„ Hidden method: tradeStock()
„ Dictionary attacks
„ Guessing a password, user name
Lecture 9- Web Services, SOAP,
4/12/2006
„ Replay attack
„ Repetitive SOAP message requests
are used to overload the service
„ From TCP/IP header you can read
IP addresses
„ They are not detected since they
come from the valid IP and are well
formed
„ SQL injections
„ SQL contains native separators or
pipes:
„ ‘;’ is one, then you can attach
commands to execute repetitively
native stored procedures or other
SQL commands
„ Message snooping
„ Use SOAP routing header to access
internal Web services
„ See next page
security 30
SOAP routing header
„ Routing is a process of delivering messages through a series of
nodes or intermediaries.
„ Each intermediary not only provides a message delivery channel,
but may also provide value-added services such as logging,
auditing and validations.
„ Routing is an essential part of distributed computing, and will play
an important rule in multi-party message exchanges.
„ WS_Routing is a protocol that defines how SOAP messages
can be delivered using various transports.
„ Routing information is carried from one intermediary to another
inside the SOAP header element. WS_Routing , thus, can be
understood as an extension to SOAP.

Lecture 9- Web Services, SOAP,

4/12/2006 security 31
 SOAP Header example

<SOAP-ENV:Header>
<mm:path
xmlns:mm="http://schemas.xmlsoap.org/rp/" SOAP-
ENV:actor="http://schemas.xmlsoap.org/soap/actor/next" SOAP-
ENV:mustUnderstand="1">
<mm:action></mm:action>

<mm:to>http://services.xmethods.net:80/soap/servlet/rpcrouter</mm:to>
<mm:id>3cf74010-e395-11d5-a2d9-00a0246e4ce3</mm:id>
<mm:fwd>
<mm:via>http://www.whitemesa.net/interop/std/multihop</mm:via>
<mm:via>http://www.4s4c.com/services/log.ashx</mm:via>
<mm:via>http://soapclient.com/SoapRouter</mm:via> </mm:fwd>
<mm:rev><mm:via/></mm:rev>
</mm:path>
</SOAP-ENV:Header>

Lecture 9- Web Services, SOAP,

4/12/2006 security 32
What can we do about
security of WS?
„ Caller authentication „ XML attacks:
„ XML signature – recommendation from „ Watch for integrated xlink and other
W3C pointers to URLs in the application
„ XML Encryption „ Session theft
„ Applying new standards „ Session ID is generated and listening to
„ SAML – Security Assertion Markup unencrypted conversation could hijack a
Language session
„ Best practices in coding and low „ DoS attacks
level security: „ Authenticate long requests
„ SSL and VPN „ Use watchdog thread to track long
execution times
„ Implement XML filtering
„ Rules for message size, content, variables „ Disguise the type of service (e.g Axis)
„ Mask internal resources „ Do not show wsdl file –
„ Network Address Translation (NAT) „ use e-mail to send it to the consumer
„ Use XML proxy to rewrite URL „ With servlets
Check frequency of connections for
Use filters to filter long files,
„
consumers „

„ Validate all messages „ validate IP,

„ Well-formed and use validating parser- „ Check caller credentials
„ Sign all messages
„ Timestamp all messages
„ Use encryption for message fields

Lecture 9- Web Services, SOAP,

4/12/2006 security 33