In the safety critical and high data quality domains, such as aviation – secure web services with digitally signed and reliable messages are essential to maintaining the provenance and quality of data, helping aeronautical web service customers remain compliant with ICAO legislation. Here at Snowflake we have been quietly creating and deploying secured and encrypted Location Based Services for years – but haven’t really let the internet hear about it… yet.

So here goes…..

For the last few years, before I joined the team here, Snowflake has been working with SOAP web service implementations exchanging GML through a managed BPEL workflow with the Ordnance Survey and other National Mapping Agencies for their geospatial production systems. More recently, in the aviation domain, the Snowflake Labs team has been looking into the performance of SOAP based Web Feature Service (WFS) implementations where Aeronautical Information, encoded as AIXM, could be compressed, encrypted and digitally signed.

A key element to developing support for some of the advanced WS-Security standards was not to develop them ourselves, but to integrate with the Java Spring Framework – the Snowflake deployable WFS product has implemented the “hooks” or API access points to integrate with the Spring Java Framework, enabling the use of Java application server configuration for security (JBOSS, MULE etc) – where the application server supports the Spring Framework.

The Spring security framework documentation is here:

http://static.springsource.org/spring-security/site/reference.html

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html

The Snowflake WFS configuration tools support transport level security and payload  security (digital signatures and encryption), and the actual handling of tokens and authentication is all integrated to the hosting application server via Spring (e.g. JBOSS).
In this way the team has implemented and integrated support for WS-Security and WS-ReliableMessaging. In terms of authorisation and authentication, the team has secured the Snowflake WFS using a variety of mechanisms, including a short trial with the GeoXACML Policy engine/decision point extension to XACML, as well as using Kerberos (authentication) and LDAP (authorisation).

For those who can parse complex XML with their eyes – an example SOAP response containing some GML with signature and encryption is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!--Created by null 1.45 Build 23659 from 2011-06-15 11:37-->
<!--Snowflake Software Ltd. (http://www.snowflakesoftware.com)-->
<!--Data Copyright: none

The data is provided on an "as seen / as is" basis, and is intended for demonstration purposes only.  Snowflake Software provides no express or limited warranty of any kind, including but not limited to those of merchantability, fitness for a particular purpose and accepts no liability whatsoever for or in connection with the use of the data.-->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:aixm="http://www.aixm.aero/schema/5.1" xmlns:gco="http://www.isotc211.org/2005/gco" xmlns:gmd="http://www.isotc211.org/2005/gmd" xmlns:gml="http://www.opengis.net/gml/3.2" xmlns:gsr="http://www.isotc211.org/2005/gsr" xmlns:gss="http://www.isotc211.org/2005/gss" xmlns:gts="http://www.isotc211.org/2005/gts" xmlns:message="http://www.aixm.aero/schema/5.1/message" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soap:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
			<wsse:UsernameToken xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsu:Id="UsernameToken-4205">
				<wsse:Username>myuser</wsse:Username>
				<wsse11:Salt>9wU7caMN4318EtyQkCV4Ag==</wsse11:Salt>
				<wsse11:Iteration>1000</wsse11:Iteration>
			</wsse:UsernameToken>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-4206">
				<wsse:SecurityTokenReference>
					<wsse:Reference URI="#UsernameToken-4205" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/>
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>16</wsc:Length>
				<wsc:Nonce>kx4ODkx0x9ZQxdNU1S6gTg==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
				<xenc:DataReference URI="#ED-4207"/>
			</xenc:ReferenceList>
			<wsse:UsernameToken xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsu:Id="UsernameToken-4201">
				<wsse:Username>myuser</wsse:Username>
				<wsse11:Salt>9wU7caMN4318EtyQkCV4Ag==</wsse11:Salt>
				<wsse11:Iteration>1000</wsse11:Iteration>
			</wsse:UsernameToken>
			<wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-4202">
				<wsse:SecurityTokenReference>
					<wsse:Reference URI="#UsernameToken-4201" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/>
				</wsse:SecurityTokenReference>
				<wsc:Offset>0</wsc:Offset>
				<wsc:Length>20</wsc:Length>
				<wsc:Nonce>QtSWpqvX0s/aOlnw+sbfDQ==</wsc:Nonce>
			</wsc:DerivedKeyToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-4204">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="aixm gco gmd gml gsr gss gts message soap xlink xs xsi"/>
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
					<ds:Reference URI="#id-4203">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="aixm gco gmd gml gsr gss gts message xlink xs xsi"/>
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>VrEgjLEaRXFEUoY4orxhAIjWeiA=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>P8qt5LDTNSREuv7hPrRwEYWyH8s=</ds:SignatureValue>
				<ds:KeyInfo Id="KI-6710B5B59685A9940C13086675488011201">
					<wsse:SecurityTokenReference wsu:Id="STR-6710B5B59685A9940C13086675488011202">
						<wsse:Reference URI="#DK-4202"/>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soap:Header>
	<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-4203">
		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4207" Type="http://www.w3.org/2001/04/xmlenc#Content">
			<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
					<wsse:Reference URI="#DK-4206"/>
				</wsse:SecurityTokenReference>
			</ds:KeyInfo>
			<xenc:CipherData>
				<xenc:CipherValue>SvZUmkBpIK9HxIedgSlncRetewj/7QAgUi[REDACTED]S5M5pnsYmNss1QGobSLSp/A==</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</soap:Body>
</soap:Envelope>

ABOUT THE AUTHOR

Chartered Engineer with the IET and Principal Consultant with Snowflake Software Ltd, Alexis James Brooker is based in the UK, with extensive experience of technical project delivery, business development and consulting in the software and open standard web services domain. Alex’s current business development role spans the Defence and Maritime sectors of Snowflake’s business.

You can follow Alex on twitter @alexisbrooker or search for him on LinkedIn and G+

By | 2012-08-16T12:48:37+00:00 August 16th, 2012|Air Traffic Management, News, Snowflake Labs, Web Services|