RY-Presentation - Center for Adaptive Optics

fishnibblersspongySoftware and s/w Development

Dec 14, 2013 (3 years and 7 months ago)

61 views

1

Web Service Security


Through A Guard

Roxanne Yee

Home Institution: University of
Hawai
ʻ
i at Mānoa


Internship Site: Akimeka, LLC

Mentor: Marc Lefebvre

Advisor: Todd Lawson

2

Presentation Overview


Project Hierarchy and Motivation


Background and Terminology


Guard


Web Service Security


My Specific Part


Test Bench


An Example


Questions


3


Information Assurance (IA) Group



Cross Domain Solutions (CDS) Group



GWSG (Global Web Services Gateway) Project



Service Oriented Architecture (SOA) Test Lab


Customers



National Security Agency (NSA)



Defense Information Systems Agency (DISA)


4

GWSG Project Motivation


Goal


To enhance the capabilities of a user on a
classified network to gain immediate access to
data available on an unclassified network


Unclassified

Database

Classified

Network User

5

GWSG Project Motivation


One Method Currently Used To Access Data

Unclassified

Database

Classified

Database

Classified

Network

User

(Soldier)

Sneaker
-
net

6

GWSG Project Motivation


Disadvantages to Current Methods


Redundancies of Data


Time Costly


Replication


Transportation


Need For Data Synchronization


Frequent Updates


No Guarantee of Data Availability


Extra Manpower by Man
-
In
-
The
-
Loop

7

GWSG Project Motivation


New Cross Domain Solution (CDS)


Web Services Technology

Unclassified

Database

Classified

Network

User

(Soldier)

Guard

8

SOA Test Lab Component


Goal


Evaluate Guards Specified by NSA and DISA


Compare capability and effectiveness to process
message formats used by web services today


Provide the best guard solution given a specific
situation in which the guard would be applied

9

My Part In The SOA Test Lab


Research and Document How To Implement
Web Service Security


Controlled and Predictable Environment


Test Web Service


Findings To Be Used In SOA Test Lab


Foundation


Template

10

WSS, SOAP, and HTTP


WSS or WS
-
Security (Web Service Security)


OASIS (Organization for the Advancement of Structured
Information Standards)


Applied to SOAP Messages


SOAP (Simple Object Access Protocol)



Message Format


HTTP (Hypertext Transfer Protocol)


Transport Protocol

11

The Project: Test Bench


Client and Server on same computer


Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Request and SOAP Response

12

The Project: Open
-
Source Software


Server Side


Tomcat 6.0.16


Axis2 1.4


Rampart 1.4


Client Side


soapUI 2.0.2

13

The Project: Test Bench


Client and Server on same computer


Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Request with WSS

14

soapUI Outgoing Configuration

Interface Used to Apply WSS to Request To Server

15

A SOAP Message Request w/o WSS

<soap: Envelope
xmlns:soap=“http//sample01.policy.samples.rampart.apach
e.org” xmlns:sam=“http://www.w3.org/2003/05/soap
-
envelope”>


<soap:Header/>


<soap:Body>



<sam:echo>



<!
--
Optional:
--
>





<sam:param0>Hello?</sam:param0>



</sam:echo>



</soap:Body>

</soap:Envelope>

Usual Request soapUI

Sends w/o WSS

16

A SOAP Message Request Header with WSS

<soap:Header>


<wsse:Security soap:mustUnderstand=“true”
xmlns:wsse=“http://…secext
-
1.0.xsd”>


<wsse:UsernameToken wsu:Id=“UsernameToken
-
22786527”


xmlns:wsu:=“http://…utility
-
1.0.xsd”>



<wsse:Username>alice</wsse:Username>



<wsse:PasswordType=“http://... wss
-
username
-
token
-

profile
-
1.0#PasswordText”>bobPW



</wsse:Password>


</wsse:UsernameToken>


</wsse:Security>

</soap:Header>

Additional WSS Informational

Applied To Usual Request soapUI

17

The Project: Test Bench


Client and Server on same computer


Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Response with WSS

18

services.xml Without Rampart

<?xml version="1.0" encoding="UTF
-
8"?>

<service>


<operation name="echo">



<messageReceiver class=



"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>


</operation>


<parameter name="ServiceClass" locked="false">



org.apache.rampart.samples.policy.sample01.SimpleService


</parameter>


<module ref="addressing" />

<!
--

RAMPART CONFIGURATION MAY OCCUR HERE
--
>

</service>

Usual Configuration Scheme

For A Service on The Server

19

services.xml with Rampart

<module ref="rampart" />

<wsp:Policy wsu:Id="UT" xmlns:wsu="http://…”
xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All>


<sp:SupportingTokens xmlns:sp="http://…/securitypolicy">



<wsp:Policy><sp:UsernameToken sp:IncludeToken=



"http://…/IncludeToken/AlwaysToRecipient"/>



</wsp:Policy>


</sp:SupportingTokens>


<ramp:RampartConfig xmlns:ramp="http://…>


<ramp:user>username</ramp:user>


<ramp:passwordCallbackClass>

org.apache.rampart.samples.policy.sample01.PWCBHandler


</ramp:passwordCallbackClass>

</ramp:RampartConfig>

</wsp:All></wsp:ExactlyOne></wsp:Policy>

Additional Code To Tell Rampart

What Type of WSS To Expect

20

The Project: Test Bench


Client and Server on same computer


Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Messages with WSS

21

The Project: Ultimate Purpose

Client

(soapUI)

Server

(Axis2)

* SOAP over HTTP


with WSS

* Proprietary Format over


Proprietary Protocol

localhost

Classified


Unclassified

Guard

XML

Firewall

XML

Firewall

22

WSS Mechanisms Attempted


User Name Token


Username and Password


Timestamp


Time to Live


Encryption


Confidentiality


Signature


Integrity and Authentication

23

An Example: Test Web Service

Client

Server

“Hi!”

“Hi!”

24

An Example: Valid User Name Token

Client

Server

Echo

Correct

Username

And

Password

25

An Example: Invalid User Name Token

Client

Server

Incorrect

Username

And/Or

Password

Error

26

An Example: Test Results

Username

Password

Result

Correct

Correct

Echo

Incorrect

Incorrect

Error

Blank

Blank

Error

Correct

Incorrect

Error

Correct

Blank

Error

Incorrect

Correct

Error

Incorrect

Blank

Error

Blank

Correct

Error

Blank

Incorrect

Error

27

Actual SOA Test Lab Setup

28

Acknowledgements


VP Operations

Matt Granger


Program Manager

Todd Lawson


Mentor

Marc Lefebvre


GWSG

Bryan Berkowitz

Casey McGinty

Scott Oshita

Christopher Paris

Derek Terawaki

Helpful Coworkers

Conrado Cortez

Deanna Garcia

Mark Mizubayashi


Former Cubiclemates

Ellen Federoff

Kelly Ledford


And Everyone Else Who
Made Me Feel Welcome!

29

Acknowledgements

Maui Akamai
Internship
Program

Funding

Center for Adaptive Optics (CfAO)


National Science Foundation and
Technology Center Grant

(#AST
-
987683)

Akamai Workforce Initiative


National Science Foundation
Grant and Air Force Office of
Scientific Research Grant

(#AST
-
0710699)


University of Hawai
ʻ
i Grant

Program Staff

Lisa Hunter

Lani LeBron

Scott Seagroves

Lynne Raschke


Short Course Instructors

Dave Harrington

Ryan Montgomery

Isar Mostafanezhad

Mark Pitts

Sarah Sonnet

And Everyone Else Who Contributed To This Valuable Experience!

30

Thank you!

Any Questions?