Web Service Security

hotbroodSecurity

Nov 2, 2013 (3 years and 9 months ago)

74 views

Web Service Security

Akylbek Zhumabayev

September 2008

Agenda


Security Fundamentals


Web Service (WS)


Transport vs. Message


Interoperability


Open Standards


WS Architecture


Implementations


WS
-
I


Conclusion


Security Fundamentals


Cryptography: Symmetric vs. Asymmetric


Hash, Digest, Signature, Certificate


“In
-
depth” strategy


Security Dimensions


Confidentiality


Integrity


Authentication


Authorization


Logging


Web Service (WS)


SOA


loose coupling (opposite RPC)


SOAP Web Service:


Language: XML


Message Protocol: SOAP


Transport Protocol: HTTP


Service Description Format: WSDL


Service Discovery Protocol: UDDI


Transport vs. Message

Communication security


Transport: full encryption, fast


Message: supports intermediate nodes

WS

Client

SOAP

Transport Layer

Message Layer

Interoperability


XML and SOAP is not enough


OASIS and W3C developed open standards


WS
-
I manages applying of standards:


Basic Profile 1.2 (now 2.0 in progress)


Basic Security Profile 1.1 (in progress)


WSIT: Sun + Microsoft = 100% compatible


Java
-
based solutions: JAX
-
RPC
-
> JAX
-
WS


Open Standards

XML
-
Encryption

XML
-
Signature

WS
-
Security

WS
-
Trust

WS
-
Policy

Main WS Security
Standards

HTTP

SOAP

WSDL

UDDI

WS
-
Addressing

Main WS Standards

WS Architecture

Security Layer

Supporting Layer

Protocol

Language

Base Layer

Resource

WS
-
Security, SAML

WS
-
Addressing, MTOM

SOAP

XML

HTTP

Communication

WS
-
SecurityPolicy
, XACML

WS
-
Policy

WSDL

XML

File System

Layers (like onion)

WS
-
Trust

WS
-
SecureConversation

WS
-
Federation

Implementations


Microsoft:


Windows Communication Foundation (WCF)


Java
-
based (open
-
source):


Sun WSIT


Apache Axis2


Apache CXF


Other proprietary or featured solutions


Java
-
based WS

Java 6

Tomcat

Jetty

Glassfish

HTTP

Server

WSIT

Axis2

CXF

WS

Framework

Geronimo

Application

Server

Axis

Metro

WSO2

Spring

WSI Basic Profile 2.0


HTTP/1.1


TLS 1.0


SSL 3.0


XML 1.0


SOAP 1.2


WSDL 1.1


UDDI 2.04


WS
-
Addressing 1.0

WS
-
I Basic Security Profile 1.1


WS
-
I Basic Profile 1.1


Simple SOAP Binding (SSBP) 1.0


Attachment Profile (AP) 1.0


XML
-
Signature


XML
-
Encryption


WS
-
Security 1.1

Conclusion


SOAP WS over HTTP is still popular


Too many WS standards


Java
-
based solutions have many scenarios


Insecure WS solutions are compatible


Secure WS solutions are not 100% compatible