Chapter 11 Securing Web services

warmersafternoonΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 8 μήνες)

109 εμφανίσεις

Web Services:

Principles & Technology

Slide 11.
1

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Chapter 11

Securing Web services

Mike P. Papazoglou

mikep@uvt.nl

Slide 11.
2

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
3

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Security threats for Web services


Web services are designed to go through network firewalls
and provide only rudimentary content inspection. Common
threats are:

1.
Unauthorized access

2.
Unauthorized alteration of messages

3.
Man in the middle

4.
Denial
-
of
-
service attacks.


Network
-
level security is required to provide protection of
the data items communicated from a network to an end
-
system.



Application
-
level security is required to protect against
XML and Web services
-
related security threats.

Slide 11.
4

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
5

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Network
-
level security


Network
-
level security incorporates embedded encryption
functionality within network devices or operating systems
utilizing Internet Protocol Security (IPSec).


Network
-
level solutions are usually designed to terminate
the
un
secure connections at the corporate firewall.


Network
-
level security solutions rely on two main
technologies to protect their networks:


firewalls, and


vulnerability assessment.

Slide 11.
6

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Firewalls


A firewall is a network security infrastructure placed
between networks to logically separate and protect the
privacy and integrity of communications across these
networks, and to safeguard against malicious use.


Functions typically provided by a firewall include:

1.
Limiting the set of applications
for which traffic can enter the
internal network from the Internet.

2.
Authenticating the sources
of incoming traffic.

3.
Limiting the ability of internal enterprise networks and systems to
establish connections to the external Internet
.

4.
Acting as a security gateway
, encryption & integrity checking
mechanism for all traffic over the Internet backbone to or from
some other security gateway.

Slide 11.
7

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Firewall architectures


There are three general classes of firewall architectures:


IP packet filtering firewalls

which employ a filtering process by
examining individual IP packets.


Circuit
-
level gateways

which perform basic packet filter operations
and then add verification of proper handshaking and verification of
the legitimacy of the sequence numbers used in establishing the
connection.


Application
-
level gateways

which check each packet that passes
through the gateway, verifying the contents of the packet up
through the application layer (layer 7) of the OSI model.

Slide 11.
8

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


IP packet filtering firewall

Slide 11.
9

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


OSI reference model

1. Physical

2. Data Link

3. Network

4. Transport

5. Session

6. Presentation

7. Application

Incoming traffic


Allowed outgoing traffic


Internet

client

Server


IP proxy agent

Connection state

Proxy Server

Circuit
-
level gateway

Slide 11.
10

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Application
-
level proxy server

Slide 11.
11

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Intrusion detection and vulnerability

assessment


One possible technology for network protection is
Intrusion Detection Systems
(IDSs). IDS is a defense
system, which detects and responds to hostile activities
targeted at computing and networking resources.


IDS solutions raise alerts that an attack may be taking place.
However, this is inadequate for business
-
to
-
business applications.


Vulnerability assessment
identifies and prioritizes
vulnerabilities, enabling enterprises to non
-
intrusively test
their networks from the “hacker’s perspective.”


It identifies potential vulnerabilities before they can be exploited,
and the intrusion detection system notifies the company when an
anomalous activity has occurred.

Slide 11.
12

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Mechanisms for securing network
communications


Cryptography

enables the user to encrypt and decrypt
messages, allowing only authorized persons to read them.
Both processes require a key, to transform the original text
(called
plain text
) into a coded message (called
cipher text
)
and back.



Deals with
authentication confidentiality message integrity
and non
-
repudiation


Encryption

is a process where the plain text is placed into a
codified algorithm and an encryption key to transform the
plain text into cipher text.


Decryption
is the reversing of encryption with the cipher text
as input and the plaintext as output.


Cryptographic techniques include
: symmetric encryption,
asymmetric encryption, digital certificates and signatures
.

Slide 11.
13

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Symmetric
-
key encryption


Symmetric
-
key
encryption uses a
single key that both
the sender and
recipient possess.
The term
“symmetric” refers
to the fact that the
same key is used
for both encryption
and decryption.

Slide 11.
14

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Asymmetric encryption


With asymmetric
encryption, both the
sender and receiver
need two keys, one
public and the other
private. When one
of these keys
(public key) is used
to perform
encryption, only the
other key (private)
is able to decrypt
the data.

Slide 11.
15

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Digital certificates and signatures


A
digital certificate

is a document that
uniquely identifies a
party that owns the certificate, the time period for which the
certificate is valid, the organization that issued the
certificate, and a digital signature that verifies the issuing
organization’s identity
.


A digital certificate is issued by a certification authority and binds an
entity’s identification to its public key.


Digital signatures

solve the problem of authenticating a
public key.


Digital signatures guarantee that the enterprise/person represented
in the digital certificate has sent the message.


A digital signature is a block of data created by applying a
cryptographic signing algorithm to some data using the signer’s
private key.

Slide 11.
16

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Asymmetric key cryptography using digital

signing and public
-
key encryption

Slide 11.
17

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Creation of a digital signature

Verification of a digital signature

Creation and verification of a digital signature

Slide 11.
18

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
19

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Application
-
level security mechanisms


Application
-
level security refers to security safeguards that
are
built into a particular application
and that
operate

independently of any network
-
level security

measures. It
includes:

1.
Authentication mechanisms

for clients and service
providers to prove to one another that they are acting on
behalf of specific users or systems.


Protection domains

are logical boundaries around a set of entities
that are assumed or known to trust each other


where these
entities can communicate with each other without requiring
authentication.

Slide 11.
20

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008



Web resource protection
and
single sign
-
on

among applications
within a security policy domain boundary.

2.
Authorization mechanisms

which allow only authentic caller
identities to access resources.


Typical authorization policies permit access to different resources
for distinct collections of authenticated clients on the basis of
roles, groups, or privileges.

3.
Integrity and confidentiality


Message integrity ensures that information being transmitted has
not been altered
. This is often accomplished through
hashing

algorithms and digitally signed digest codes.


Confidentiality ensures that messages and data are
available only
to those who are authorized to view
them.


It can be achieved by making sure the connection between the

parties cannot be intercepted, for example, by using
encryption

when
the data is being sent across untrusted networks.

Application
-
level security mechanisms
(continued)

Slide 11.
21

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


4.
Non
-
repudiation
:

a property achieved through cryptographic
methods to prevent an individual or entity from
denying
having performed a particular action
related to data.

5.
Auditing:

the practice of recording events
, such as failed
login attempts and denied requests to use a resource that
may indicate attempts to violate enterprise security.


The value of auditing is knowing who has interacted with a system
to allow the determination of accountability for a breach of
security.

Application
-
level security mechanisms
(continued)

Slide 11.
22

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


6.
Application
-
level
security protocols:

Commonly used
protocols that address
authentication,
integrity, and
confidentiality
concerns within open
networks are:


Secure sockets layer

(SSL)


Internet protocol
security

(IPsec)


Kerberos.

Transport security & SSL

Kerberos ticket distribution

Insert figure 11.9

Application
-
level security mechanisms
(continued)

Slide 11.
23

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


7.
Security Infrastructures:


Public
-
key infrastructure


Directory services

Public key infrastructure

Application
-
level security mechanisms
(continued)

Slide 11.
24

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
25

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Security topologies

Slide 11.
26

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Vertically scaled security architecture

Slide 11.
27

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
28

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


XML Security Standards


XML Trust Services is a suite of open XML specifications
for application developers to make it easier to integrate a
broad range of XML security services into integrated
applications over the Web. The main technologies for XML
Trust Services encompass:


XML Signature for cryptographically authenticating data;


XML Encryption for encrypting data;


XML Key Management Specification (XKMS) for managing
key registration and key authentication;


Security Assertions Markup Language (SAML) for
specifying entitlement and identity and


XML Access Control Markup Language (XACML) for
specifying fine
-
grained data access rights.

Slide 11.
29

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


XML Signature


Defines a schema
for capturing the
result of a digital
signature operation
applied to arbitrary
digital content


The objective of
XML signature is to
ensure data
integrity, message
authentication, and
non
-
repudiation of
services.

<?xml version="1.0" encoding="UTF
-
8"?>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo Id="2ndDecemberNewsItem">


<CanonicalizationMethod


Algorithm="http://www.w3.org/TR/2001/REC
-
xml
-
c14n
-
20010315"/>


<SignatureMethod


Algorithm="http://www.w3.org/2000/09/xmldsig#dsa
-
sha1"/>


<Reference URI="http://www.news_company.com/news/2004/12_02_04.htm">


<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>


<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>


</Reference>


<Reference URI="#AMadeUpTimeStamp"


Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties">


<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>


<DigestValue>k3453rvEPO0vKtMup4NbeVu8nk=</DigestValue>


</Reference>


... ...

</SignedInfo>

<SignatureValue>MC0E~LE=… </SignatureValue>

<KeyInfo>


<X509Data>


<X509SubjectName>


CN=News Items Inc., O=Today’s News Items, C=USA </X509SubjectName>


<X509Certificate>


MIID5jCCA0+gA...lVN


</X509Certificate>


</X509Data>

</KeyInfo>

<Object>


<SignatureProperties>


<SignatureProperty Id="AMadeUpTimeStamp" Target="#2ndDecemberNewsItem">


<timestamp xmlns="http://www.ietf.org/rfcXXXX.txt">


<date>2004122</date>


<time>18:30</time>


</timestamp>


</SignatureProperty>


</SignatureProperties>

</Object>

</Signature>

Slide 11.
30

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


XML Encryption


XML Encryption supports
encryption of all or part of
an XML document. The
steps for XML Encryption
include:

1.

Selecting the XML document
to be encrypted (in whole or
in parts).

2.

Converting the XML to be
encrypted to a canonical
form, if necessary.

3.

Encrypting the resulting
canonical form using public
-
key encryption.

4.

Sending the encrypted XML
to the intended recipient.

<?xml version='1.0'?>


<PaymentInfo xmlns='http://example.org/paymentv2'>


<Name>John Smith</Name>


<CreditCard Limit='5,000' Currency='USD'>


<Number>4019 2445 0277 5567</Number>


<Issuer>Example Bank</Issuer>


<Expiration>04/06</Expiration>


</CreditCard>


</PaymentInfo>


---------------------------------------------------------------


<?xml version='1.0'?>

<env:Envelope>


<env:Body>


<PaymentInfo xmlns='http://example.org/paymentv2'>


<Name> John Smith </Name>


<CreditCard Limit='5,000' Currency='USD'>


<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'


Type='http://www.w3.org/2001/04/xmlenc#Content'>


<CipherData>


<CipherValue> A23B45C56 </CipherValue>


</CipherData>


</EncryptedData>


</CreditCard>


</PaymentInfo>


</env:Body>

</env:Envelope>

Slide 11.
31

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


XML Key Management Specification


XKMS is an initiative
used to simplify the
integration of PKI and
management of digital
certificates with XML
applications. Its
objective is to enable
the development of
XML
-
based trust
(Web) services for the
processing and the
management of PKI
-
based cryptographic
keys.

Slide 11.
32

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Building blocks of the XML Trust framework

XML Encryption

XML Signature

Public
-
key cryptography

XML canonicalization

Slide 11.
33

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Security Assertions Markup Language


SAML is a
vendor
-
neutral, XML
-
based standard
framework
for describing and exchanging security
-
related
information, called assertions (declarations on facts about
subjects), designed to facilitate the exchange of security
information between different application components and
trust domains.


SAML is designed around the concept of
single sign
-
on
for
Web applications, enabling an identity to be submitted a
single time and transported from one enterprise to the
next.

Slide 11.
34

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


SAML building blocks

Slide 11.
35

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


SAML & XACML model

<saml:Assertion


xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"


MajorVersion="1" MinorVersion="0"


AssertionID="XraafaacDz6iXrUa"


Issuer="www.some
-
trusted
-
party.com"


IssueInstant="2004
-
07
-
19T17:02:00Z">


<saml:Conditions


NotBefore="2004
-
07
-
19T17:02:00Z "


NotOnOrAfter="2004
-
07
-
19T17:10:00Z"/>


<saml:AuthenticationStatement


AuthenticationMethod="urn:ietf:rfc:3075"


AuthenticationInstant="2004
-
07
-
19T17:02:00Z">


<saml:Subject>


<saml:NameIdentifier


NameQualifier=http://www.some
-
trusted
-
party.com


Format="...">


uid="OrderProcService"


</saml:NameIdentifier>


<saml:SubjectConfirmation>


<saml:ConfirmationMethod>


urn:oasis:names:tc:SAML:1.0:cm:holder
-
of
-
key


</saml:ConfirmationMethod>


<ds:KeyInfo>


<ds:KeyName>OrderProcServiceKey</ds:KeyName>


<ds:KeyValue> ... </ds:KeyValue>


</ds:KeyInfo>


</saml:SubjectConfirmation>


</saml:Subject>


</saml:AuthenticationStatement>

</saml:Assertion>

SAML authentication assertion

SAML and XACML

Slide 11.
36

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


XML Access Control Markup Language


XACML is an extension of SAML
(how identity and access
information is exchanged)

that allows access control
policies to be specified.


XACML has two basic components:


1.


An access
-
control policy language
that lets developers
specify the rules about who
can do what and when
.

2.


A request/response language
that presents requests for
access and describes the answers to those queries.

Slide 11.
37

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


<Policy PolicyId="identifier:example:SimplePolicy1"


RuleCombiningAlgId="identifier:rule
-
combining
-
algorithm:deny
-
overrides">


<Description>


Plastics Supply Inc. access control policy


</Description>


<Target>


<Subjects><AnySubject/></Subjects>


<Resources><AnyResource/></Resources>


<Actions><AnyAction/></Actions>


</Target>


<Rule


RuleId="identifier:example:SimpleRule1“


Effect="Permit">


<Target>


<Subjects><Subject>


<SubjectMatch


MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name
-
match">


<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">


plastics_supply.com


</AttributeValue>


<SubjectAttributeDesignator


AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject
-
id"


DataType="urn:oasis:names:tc:xacml:1.0:data
-
type:rfc822Name"/>


</SubjectMatch>


</Subject></Subjects>


<Resources><AnyResource/></Resources>


<Actions><AnyAction/></Actions>


</Target>


</Rule>

Sample XACML policy

Slide 11.
38

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Topics


Web services security considerations


Network
-
level security mechanisms


Application
-
level security mechanisms


Security topologies


XML security standards


Web services security

Slide 11.
39

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Securing Web Services


Web services rely on message
security which focuses on:


protecting message content
from being disclosed to
unauthorized individuals
(
confidentiality
); and
preventing illegal modification
of message content (
integrity
).


To maximize the reach of Web
services require
end
-
to
-
end

and not just point
-
to
-
point
security.


In the end
-
to
-
end security
topology, the creator of the
message may have written the
payload, but intermediaries
may inspect or rewrite the
message afterwards.

Slide 11.
40

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Web Services Security Roadmap


The Web services security roadmap is used for developing
a set of Web service security standard specifications and
technologies. They describe a unifying approach for dealing
with protection for messages exchanged in a Web services
environment.

Slide 11.
41

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Web services security model

Slide 11.
42

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


WS
-
Security


WS
-
Security is a standard set of SOAP extensions that can
be used when building secure Web services to provide the
ability to
send security tokens as part of a message
and
implement message content integrity and confidentiality.


WS
-
Security can be used in conjunction with other Web
service extensions and protocols
to accommodate a wide
variety of security models (including PKI, Kerberos, and
SSL) and security technologies.


WS
-
Security primarily describes how to secure SOAP
messages with
XML signature and XML encryption
.


It defines how security tokens are contained in SOAP
messages, and how XML security specifications are used to
encrypt and sign these tokens as well as how to sign and
encrypt other parts of a SOAP message.

Slide 11.
43

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Scenario using XML trust services

Slide 11.
44

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Conceptual architecture employing a

WS
-
Security solution

Slide 11.
45

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


WS
-
Security structure

Slide 11.
46

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


<?xml version="1.0" encoding="utf
-
8"?>

<env:Envelope


xmlns:env="http://www.w3.org/2003/05/soap
-
envelope"


xmlns:wsse=


"http://docs.oasis
-
open.org/wss/2004/01/oasis
-
200401
-
wsswssecurity
-
secext
-
1.0.xsd"


xmlns:wsu=


"http://docs.oasis
-
open.org/wss/2004/01/oasis
-
200401
-
wsswssecurity
-
utility
-
1.0.xsd"


xmlns:ds="http://www.w3.org/2000/09/xmldsig#"


xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">


<env:Header>


<wsse:Security>


<!
--

Security Token
--
>


<wsse:UsernameToken wsu:Id="...">


<wsse:Username>...</wsse:Username>


</wsse:UsernameToken >


<!
--

XML Signature
--
>


<ds:Signature>





<ds:Reference URI="#MsgBody">





<ds:Signature>


<!
--

XML Encryption Reference List
--
>


<xenc:ReferenceList>


<xenc:DataReference URI="#bodyID">


</xenc:ReferenceList>


</wsse:Security>


</env:Header>


<env:Body>


<!
--

XML Encrypted Body
--
>


<xenc: EncryptedData Id="bodyID" Type="content">


<xenc:CipherData>


<xenc:CipherValue>...</xenc:CipherValue>


</xenc:CipherData>


</xenc:EncryptedData>


</env:Body>

</env:Envelope>

WS
-
Security header

Slide 11.
47

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Message flow involving

security tokens

<wsse:Security


xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">


<wsse:BinarySecurityToken


ValueType="wsse:X509v3"


EncodingType="wsse:Base64Binary">


SSphfawHraPle ...


</wsse:BinarySecurityToken>

</wsse:Security>

Sample use of X.509

security token

Security Tokens

Slide 11.
48

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


<env:Envelope>


<env:Header>


<wsse:Security>


<wsse:EncryptedKey>


<EncryptionMethod


Algorithm="http://www.w3.org/2001/04/xmlenc#rsa
-
1_5"/>


<ds:KeyInfo>


<wsse:SecurityTokenReference>


<ds:X509IssuerSerial>


<ds:X509IssuerName>


DC=ABC
-
Corp, DC=com


</ds:X509IssuerName>


<ds:X509SerialNumber>12345678</ds:X509SerialNumber>


</ds:X509IssuerSerial>


</wsse:SecurityTokenReference>


</ds:KeyInfo>



<!
--

XML Encryption Reference List
--
>


<xenc:ReferenceList>


<xenc:DataReference URI="#EncryptedBody">


</xenc:ReferenceList>


</wsse:EncryptedKey>


</wsse:Security>


</env:Header>


<env:Body>


<!
--

XML Encrypted Body
--
>


<xenc: EncryptedData Id=" EncryptedBody" Type="content">


<xenc:CipherData>


<xenc:CipherValue>...</xenc:CipherValue>


</xenc:CipherData>


</xenc:EncryptedData>


</env:Body>

</env:Envelope>

Providing confidentiality In WS
-
Security

Slide 11.
49

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Providing message integrity

In WS
-
Security

<?xml version="1.0" encoding="utf
-
8"?>

<env:Envelope>


<env:Header>


<wsse:Security>


<wsse:UsernameToken wsu:Id="OrderProcServiceUsernameToken">


<wsse:Username>ATrustedOrderProcService</wsse:Username>


<wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce>


<wsu:Created>2004
-
09
-
17T09:00:00Z</wsu:Created>


</wsse: UsernameToken>


<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">


<ds:SignedInfo>


<ds:CanonicalizationMethod


Algorithm="http://www.w3.org/2001/10/xml
-
exc
-
c14N"/>


<ds:SignatureMethod


Algorithm="http://www.w3.org/2000/09/xmldsig#rsa
-
sha1"/>


<ds:Reference URI="#Request4Shipment">


<ds:DigestMethod


Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>


<ds:DigestValue>


aOb4Luuk...


</ds:DigestValue>


</ds:Reference>


</ds:SignedInfo>


<ds:SignatureValue>


A9qqIrtE3xZ...


</ds:SignatureValue>


<ds:KeyInfo>


<wsse:SecurityTokenReference>


<wsse:Reference URI="#OrderProcServiceUsernameToken"/>


</wsse:SecurityTokenReference>


</ds:KeyInfo>


</ds:Signature>


</wsse:Security>


</env:Header>


<env:Body>


<s:ShipOrder


xmlns:s="http://www.plastics_supply.com/shipping_service/"


wsu:Id="Request4Shipment">


<!
--

Parameters passed with call
--
>


<OrderNumber>PSC0622
-
X</OrderNumber>


… … …


</s:ShipOrder>


</env:Body>

</env:Envelope>

Slide 11.
50

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


WS
-
SecurityPolicy


WS
-
Policy defines a general approach to specifying policies of all
kinds and to associate them with particular services.


WS
-
Policy is a domain
-
specific language to represent policies for
WS
-
Security.


WS
-
SecurityPolicy extends the WS
-
Policy
standard to allow
organizations initiating a SOAP exchange to discover what type of
security tokens are understood at the target, in the same way that
WSDL describes a target Web service.

Security policy assertions in

WS
-
SecurityPolicy

Slide 11.
51

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Managing federated identities


A
federated identity

is a collection of agreements for the
creation, maintenance, and use of identities as well as
credentials and entitlements, plus a supporting
infrastructure and standards that make user identity and
entitlements portable across autonomous security domains
within a federation.


Federated identity infrastructure
enables cross
-
boundary
single sign
-
on, dynamic user provisioning and identity
attribute sharing
.


Federated single sign
-
on

allows users to sign on only once
with a member in a federation and subsequently use
various services in the federation without signing on again.

Slide 11.
52

Michael P. Papazoglou,
Web Services
, 1
st

Edition, © Pearson Education Limited 2008


Federation scenario