Download ppt - Web Service Security

Transcript
Page 1: Web Service Security

Web Service Security

Akylbek ZhumabayevSeptember 2008

Page 2: Web Service Security

Agenda

• Security Fundamentals• Web Service (WS)• Transport vs. Message• Interoperability• Open Standards• WS Architecture• Implementations• WS-I• Conclusion

Page 3: Web Service Security

Security Fundamentals

• Cryptography: Symmetric vs. Asymmetric• Hash, Digest, Signature, Certificate• “In-depth” strategy• Security Dimensions– Confidentiality– Integrity– Authentication– Authorization– Logging

Page 4: Web Service Security

Web Service (WS)

• SOA – loose coupling (opposite RPC)• SOAP Web Service:– Language: XML– Message Protocol: SOAP– Transport Protocol: HTTP– Service Description Format: WSDL– Service Discovery Protocol: UDDI

Page 5: Web Service Security

Transport vs. Message

Communication security• Transport: full encryption, fast• Message: supports intermediate nodes

WSWSClientClient SOAPSOAP

Transport LayerMessage Layer

Page 6: Web Service Security

Interoperability

• XML and SOAP is not enough• OASIS and W3C developed open standards• WS-I manages applying of standards:– Basic Profile 1.2 (now 2.0 in progress)– Basic Security Profile 1.1 (in progress)

• WSIT: Sun + Microsoft = 100% compatible• Java-based solutions: JAX-RPC -> JAX-WS

Page 7: Web Service Security

Open Standards

XML-EncryptionXML-Signature

WS-SecurityWS-TrustWS-Policy

XML-EncryptionXML-Signature

WS-SecurityWS-TrustWS-Policy

Main WS Security Standards

Main WS Security Standards

HTTPSOAPWSDLUDDI

WS-Addressing

HTTPSOAPWSDLUDDI

WS-Addressing

Main WS StandardsMain WS Standards

Page 8: Web Service Security

WS Architecture

Security LayerSupporting Layer

ProtocolLanguageBase Layer

Security LayerSupporting Layer

ProtocolLanguageBase Layer

Resource

WS-Security, SAMLWS-Addressing, MTOM

SOAPXMLHTTP

Communication

WS-SecurityPolicy, XACMLWS-Policy

WSDLXML

File System

Layers (like onion)Layers (like onion)

WS-Trust

WS-SecureConversation WS-Federation

Page 9: Web Service Security

Implementations

• Microsoft:– Windows Communication Foundation (WCF)

• Java-based (open-source):– Sun WSIT– Apache Axis2– Apache CXF– Other proprietary or featured solutions

Page 10: Web Service Security

Java-based WS

Java 6 Tomcat JettyGlassfishHTTPServerHTTP

Server

WSIT Axis2 CXFWSFramework

WSFramework

GeronimoApplicationServer

ApplicationServer

Axis

Metro WSO2 Spring

Page 11: Web Service Security

WSI Basic Profile 2.0

• HTTP/1.1• TLS 1.0• SSL 3.0• XML 1.0• SOAP 1.2• WSDL 1.1• UDDI 2.04• WS-Addressing 1.0

Page 12: Web Service Security

WS-I Basic Security Profile 1.1

• WS-I Basic Profile 1.1• Simple SOAP Binding (SSBP) 1.0• Attachment Profile (AP) 1.0• XML-Signature• XML-Encryption• WS-Security 1.1

Page 13: Web Service Security

Conclusion

• SOAP WS over HTTP is still popular• Too many WS standards• Java-based solutions have many scenarios• Insecure WS solutions are compatible• Secure WS solutions are not 100% compatible


Recommended

Blue Coat Web Security Service: Unified Agent Brief
Blue Coat Web Security Service: Unified Agent Brief Documents
Web Service Security¡gi útmutatók/Web szerverek és... · Welcome to Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE)
Web Service Security¡gi útmutatók/Web szerverek és... · Welcome to Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) Documents
Webroot SecureAnywhere Web Security Service · The Webroot SecureAnywhere Web Security Service uses a globally distributed, multitenant, fully redundant data center infrastructure
Webroot SecureAnywhere Web Security Service · The Webroot SecureAnywhere Web Security Service uses a globally distributed, multitenant, fully redundant data center infrastructure Documents
Web Service Security - Kasetsart Universitymcs/courses/219451/slides/Lecture8.pdf · Web Service Security WS-Security FrameworkSecurity Framework Provides extensions that can be used
Web Service Security - Kasetsart Universitymcs/courses/219451/slides/Lecture8.pdf · Web Service Security WS-Security FrameworkSecurity Framework Provides extensions that can be used Documents
Security for Web Services and Service Oriented Architectures
Security for Web Services and Service Oriented Architectures Documents
Android Web Service Security - Joseph Alexander
Android Web Service Security - Joseph Alexander Software
AWS Security Token Service Security Token Service API Reference Welcome The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege
AWS Security Token Service Security Token Service API Reference Welcome The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege Documents
Security Web Service
Security Web Service Documents
Web Service Security
Web Service Security Documents
WEB SECURITY SERVICE APPLICATION BY USING WEB SERVICE AND RON
WEB SECURITY SERVICE APPLICATION BY USING WEB SERVICE AND RON Documents
Solution Guide Symantec Web Security Service Advanced ...Symantec Web Security Service is a leading cloud-delivered Secure Web Gateway service. Symantec gateways have been listed as
Solution Guide Symantec Web Security Service Advanced ...Symantec Web Security Service is a leading cloud-delivered Secure Web Gateway service. Symantec gateways have been listed as Documents
[MS-SPSTWS]: SharePoint Security Token Service Web Service ... · The SharePoint Security Token Service Web Service Protocol defines restrictions for several related protocols and
[MS-SPSTWS]: SharePoint Security Token Service Web Service ... · The SharePoint Security Token Service Web Service Protocol defines restrictions for several related protocols and Documents
1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service
1 Web Service and Security Lilly Wang. 2 Agenda Brief introduction to web service Web service security Wireless web service Documents
Security-as-a-Service for Amazon Web Servicesdownload.bitdefender.com/resources/media/materials/...Security-as-a-Service for Amazon Web Services Instant Provisioning: Deployment flexibility
Security-as-a-Service for Amazon Web Servicesdownload.bitdefender.com/resources/media/materials/...Security-as-a-Service for Amazon Web Services Instant Provisioning: Deployment flexibility Documents
Web Service Security in SAP NetWeaver CE Service Security in SAP NetWeaver CE SAP NetWeaver Product Management Security ... Configuring Security and Reliability Design-time configuration
Web Service Security in SAP NetWeaver CE Service Security in SAP NetWeaver CE SAP NetWeaver Product Management Security ... Configuring Security and Reliability Design-time configuration Documents
Web Service Security Overview, analysis and challenges · Web Service Security Overview, analysis and challenges ... Information system technologies to communicate in an ... Figure
Web Service Security Overview, analysis and challenges · Web Service Security Overview, analysis and challenges ... Information system technologies to communicate in an ... Figure Documents
Web Service Message Security in Applications Integration · Web Service Message Security in Applications Integration Syed Umair Hassan *, Farrukh Saleem Sheikh ... JSON. Its popularity
Web Service Message Security in Applications Integration · Web Service Message Security in Applications Integration Syed Umair Hassan *, Farrukh Saleem Sheikh ... JSON. Its popularity Documents
InTech-A Guided Web Service Security Testing Method
InTech-A Guided Web Service Security Testing Method Documents