Upload
montana-irwin
View
27
Download
0
Embed Size (px)
DESCRIPTION
Web Service Security. Akylbek Zhumabayev September 2008. Agenda. Security Fundamentals Web Service (WS) Transport vs. Message Interoperability Open Standards WS Architecture Implementations WS-I Conclusion. Security Fundamentals. Cryptography: Symmetric vs. Asymmetric - PowerPoint PPT Presentation
Citation preview
Web Service Security
Akylbek ZhumabayevSeptember 2008
Agenda
• Security Fundamentals• Web Service (WS)• Transport vs. Message• Interoperability• Open Standards• WS Architecture• Implementations• WS-I• Conclusion
Security Fundamentals
• Cryptography: Symmetric vs. Asymmetric• Hash, Digest, Signature, Certificate• “In-depth” strategy• Security Dimensions– Confidentiality– Integrity– Authentication– Authorization– Logging
Web Service (WS)
• SOA – loose coupling (opposite RPC)• SOAP Web Service:– Language: XML– Message Protocol: SOAP– Transport Protocol: HTTP– Service Description Format: WSDL– Service Discovery Protocol: UDDI
Transport vs. Message
Communication security• Transport: full encryption, fast• Message: supports intermediate nodes
WSWSClientClient SOAPSOAP
Transport LayerMessage Layer
Interoperability
• XML and SOAP is not enough• OASIS and W3C developed open standards• WS-I manages applying of standards:– Basic Profile 1.2 (now 2.0 in progress)– Basic Security Profile 1.1 (in progress)
• WSIT: Sun + Microsoft = 100% compatible• Java-based solutions: JAX-RPC -> JAX-WS
Open Standards
XML-EncryptionXML-Signature
WS-SecurityWS-TrustWS-Policy
XML-EncryptionXML-Signature
WS-SecurityWS-TrustWS-Policy
Main WS Security Standards
Main WS Security Standards
HTTPSOAPWSDLUDDI
WS-Addressing
HTTPSOAPWSDLUDDI
WS-Addressing
Main WS StandardsMain WS Standards
WS Architecture
Security LayerSupporting Layer
ProtocolLanguageBase Layer
Security LayerSupporting Layer
ProtocolLanguageBase Layer
Resource
WS-Security, SAMLWS-Addressing, MTOM
SOAPXMLHTTP
Communication
WS-SecurityPolicy, XACMLWS-Policy
WSDLXML
File System
Layers (like onion)Layers (like onion)
WS-Trust
WS-SecureConversation WS-Federation
Implementations
• Microsoft:– Windows Communication Foundation (WCF)
• Java-based (open-source):– Sun WSIT– Apache Axis2– Apache CXF– Other proprietary or featured solutions
Java-based WS
Java 6 Tomcat JettyGlassfishHTTPServerHTTP
Server
WSIT Axis2 CXFWSFramework
WSFramework
GeronimoApplicationServer
ApplicationServer
Axis
Metro WSO2 Spring
WSI Basic Profile 2.0
• HTTP/1.1• TLS 1.0• SSL 3.0• XML 1.0• SOAP 1.2• WSDL 1.1• UDDI 2.04• WS-Addressing 1.0
WS-I Basic Security Profile 1.1
• WS-I Basic Profile 1.1• Simple SOAP Binding (SSBP) 1.0• Attachment Profile (AP) 1.0• XML-Signature• XML-Encryption• WS-Security 1.1
Conclusion
• SOAP WS over HTTP is still popular• Too many WS standards• Java-based solutions have many scenarios• Insecure WS solutions are compatible• Secure WS solutions are not 100% compatible