Upload
prabath-siriwardena
View
1.795
Download
1
Tags:
Embed Size (px)
DESCRIPTION
@ApacheCon 2011
Citation preview
Prabath Siriwardena – Software Architect, WSO2
Patterns
Standards
Implementations
Plan for the session
Recurring Problems
Patterns
Authentication Patterns
Confidentiality Patterns
Authorization Patterns
1995 1997
1999
2004
2005
SAML2 Web SSO
2008/May
Authentication Patterns
Direct Authentication
Brokered Authentication
Basic Authentication
Mutual Authentication
2-legged OAuth
Direct Authentication for Web Services
Tran
sport L
evel
UsernameToken Profile with WS-Security
Signing – X.509 Token Profile with WS-Security
Direct Authentication for Web Services
Message
Lev
el
Mutual Authentication
2-legged OAuth
Brokered Authentication for Web Services
Tran
sport L
evel
WS-Trust / STS
WS-Federation
Brokered Authentication for Web Services
Message
Lev
el
Signing – X.509 Token Profile with WS-Security
Kerberos Token Profile for WS-Security
Resource STS
2006/April
2006/June
2008/2009
2008/2009
2008/2009
2007/Dec
2007/Dec
Authorization Patterns
Direct Authorization
Delegated Authorization
Authorization Patterns
Direct Authorization
Delegated Authorization
ActAs in WS-‐Trust 1.4
2005/Feb
Message Interceptor Gateway Pattern
Trusted Sub System Pattern
Security Solution Patterns Message
Lev
el
UsernameToken Profile
SOAP Security Message
Lev
el
X.509 Token Profile & Key Referencing
Message
Lev
el
SOAP Security
Key Identifiers
Direct References
Symmetric Binding Vs Asymmetric Binding
Message
Lev
el
SOAP Security
Message
Lev
el
SOAP Security
• WS-‐Security secures SOAP – focuses on message level security
• Focuses on a single message authentication model
• Each message contains everything necessary to authenticate it self
• Suitable for a coarse grained messaging in which a single message at a time from the same requestor is received WS – Se
cure Con
versation
Message
Lev
el
SOAP Security WS – Se
cure Con
versation • What SSL does at the transport level in point-‐to-‐point
communication, WS-‐SecureConversation does at the SOAP layer
• Removes the need of individual SOAP message carrying authentication information.
• Establishes a mutually authenticated security context in which a series of messages are exchanged.
• Uses public key encryption to exchange a shared secret and then onwards uses the shared key
WS-Trust
Message
Lev
el
SOAP Security
Sender Vouches – Subject Confirmation
Message
Lev
el
SOAP Security
Message
Lev
el
SOAP Security
Holder-of-Key – Subject Confirmation
http://wso2.org/library/3786
SOAP Security
http://wso2.org/library/3132
WS – Security Policy