Prabath  Siriwardena  –  Software  Architect,  WSO2  

Patterns

Standards

Implementations

Plan for the session

Recurring Problems

Patterns

Authentication Patterns

Confidentiality Patterns

Authorization Patterns

1995 1997

1999

2004

2005

SAML2 Web SSO

2008/May

Authentication Patterns

Direct Authentication

Brokered Authentication

Basic Authentication

Mutual Authentication

2-legged OAuth

Direct Authentication for Web Services

Tran

sport  L

evel  

UsernameToken Profile with WS-Security

Signing – X.509 Token Profile with WS-Security

Direct Authentication for Web Services

Message

 Lev

el  

Mutual Authentication

2-legged OAuth

Brokered Authentication for Web Services

Tran

sport  L

evel  

WS-Trust / STS

WS-Federation

Brokered Authentication for Web Services

Message

 Lev

el  

Signing – X.509 Token Profile with WS-Security

Kerberos Token Profile for WS-Security

Resource  STS  

2006/April

2006/June

2008/2009

2008/2009

2008/2009

2007/Dec

2007/Dec

Authorization Patterns

Direct Authorization

Delegated Authorization

Authorization Patterns

Direct Authorization

Delegated Authorization

ActAs  in  WS-­‐Trust  1.4  

2005/Feb

Message Interceptor Gateway Pattern

Trusted Sub System Pattern

Security Solution Patterns Message

 Lev

el  

UsernameToken Profile

SOAP Security Message

 Lev

el  

X.509 Token Profile & Key Referencing

Message

 Lev

el  

SOAP Security

Key  Identifiers  

Direct  References  

Symmetric Binding Vs Asymmetric Binding

Message

 Lev

el  

SOAP Security

Message

 Lev

el  

SOAP Security

•  WS-­‐Security  secures  SOAP  –  focuses  on  message  level  security  

•  Focuses  on  a  single  message  authentication  model  

•  Each  message  contains  everything  necessary  to  authenticate  it  self  

•  Suitable  for  a  coarse  grained  messaging  in  which  a  single  message  at  a  time  from  the  same  requestor  is  received  WS  –  Se

cure  Con

versation  

Message

 Lev

el  

SOAP Security WS  –  Se

cure  Con

versation   •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point  

communication,  WS-­‐SecureConversation  does  at  the  SOAP  layer  

•  Removes  the  need  of  individual  SOAP  message  carrying  authentication  information.  

•  Establishes  a  mutually  authenticated  security  context  in  which  a  series  of  messages  are  exchanged.  

•  Uses  public  key  encryption  to  exchange  a  shared  secret  and  then  onwards  uses  the  shared  key  

WS-Trust

Message

 Lev

el  

SOAP Security

Sender Vouches – Subject Confirmation

Message

 Lev

el  

SOAP Security

Message

 Lev

el  

SOAP Security

Holder-of-Key – Subject Confirmation

http://wso2.org/library/3786

SOAP Security

http://wso2.org/library/3132

WS – Security Policy