ivy-mooney
Uploaded by
26 SLIDES
417 VUES
260LIKES

Implementing Secure SOAP Web Services: A Comprehensive Guide

DESCRIPTION

This document provides an in-depth analysis of implementing security in SOAP web services, focusing on aspects such as authentication, integrity, and confidentiality. It defines what a web service is and details the structure of SOAP messages, including their components. Additionally, it discusses security measures like digital signatures and XML encryption, ensuring data integrity and confidentiality. Real-world examples from Maria Lizarraga's Competitive Loan Service illustrate the practical implementation of these security features, enhancing understanding of secure web service architecture.

1 / 26

Télécharger la présentation

Implementing Secure SOAP Web Services: A Comprehensive Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

Playing audio...

  1. Web Services Security Maria Lizarraga CS691

  2. Agenda • Problem Definition • SOAP Messages • Implementing Security Services • Integrity • Confidentiality • Authentication • Implementation Maria Lizarraga

  3. What is a web service? • A web service is a web software application available on the network that provides an interface for exchanging information with a client. • the software application • a method to interface to the application • URI associated with the application • a published document that gives visibility to the world Maria Lizarraga

  4. Architecture Maria Lizarraga

  5. Maria’s Competitive Loan Service Maria Lizarraga

  6. Network Layer Firewall • Firewall authenticates user • SOAP server cannot distinguish between • Business Partner • Customer Maria Lizarraga

  7. Solution • Make firewall XML and SOAP aware • SOAP message contains security information • Intruders now stopped at the firewall Maria Lizarraga

  8. Simple Object Access Protocol, SOAP Message • XML • Embedded into HTTP • Three parts • Envelope • Header • Body Maria Lizarraga

  9. SOAP Message POST /GradesService/services/GradesService HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: IBM WebServices/1.0 Host: localhost:9080 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 356 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/ encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance"> <soapenv:Body> <getStudents xmlns="http://grades"/> </soapenv:Body> </soapenv:Envelope> Application package grades; public class GradesService { final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main } // end class GradesService SOAP Request – Digital Signature Maria Lizarraga

  10. HTTP/1.1 200 OK Server: WebSphere Application Server/5.1 Content-Type: text/xml; charset=utf-8 Content-Language: en-US Connection: close <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <getStudentsResponse xmlns="http://grades"> <getStudentsReturn> Mary </getStudentsReturn> <getStudentsReturn> Joe </getStudentsReturn> <getStudentsReturn> Sally </getStudentsReturn> <getStudentsReturn> Tim </getStudentsReturn> </getStudentsResponse> </soapenv:Body> </soapenv:Envelope> Response Maria Lizarraga

  11. Security Services • Confidentiality • XML Encryption • Integrity • XML Digital Signature • Authentication • Security Tokens Maria Lizarraga

  12. Client Application Maria Lizarraga

  13. Integrity and Authentication Example Goal • Message Integrity • Message Authentication • User Authentication Process • Obtain the message digest of the message. • Encrypt message digest with sender’s private key. Maria Lizarraga

  14. XML Digital Signature • <BinarySecurityToken> -- This section is for specifying the encoding format for binary encoded security tokens. • EncodingType -- Encoding used on Security Token • ValueType -- • ID • Encoded Digital Certificate • <Signature> -- Signature specific information. It contains the following three subsections: • <SignedInfo> -- Processing information – How it is signed • <CanonicalizationMethod> -- Normalizing data algorithm • <SignatureMethod> -- Signature algorithm • <Reference> -- Points to signed content • <Transforms> -- How to process data • <DigestMethod> -- Hashing algorithm used on <body> • <DigestValue> • <SignatureValue> -- Value of the signed data • <KeyInfo> -- Optional key identifier (such as a public key/symmetric key) • <wsse:SecurityTokenReference> • Reference -- Refers to public key inside Digital Certificate Digital Signature Request Example Digital Signature Response Example Maria Lizarraga

  15. Confidentiality Example Goal • Only allow those who have “a need to know” see the data Process • Encrypt <body> with symmetric key • Encrypt symmetric key with recipient's public key Maria Lizarraga

  16. XML Encryption • <EncryptedKey> -- Symmetric key information • <EncryptionMethod> -- Method of Encryption • <KeyInfo> -- Encrypted Key Identifier • <SecurityTokenReference> • <KeyIdentifier> • <CipherData> • <CiperValue> -- Encrypted Symmetric Key • <ReferenceList> -- Reference to the encrypted text Encryption Request Example Encryption Response Example Maria Lizarraga

  17. Other XML Encryption Options • Encrypt entire message • Encrypt attachments • Encrypt any element • Encrypt an encrypted element Maria Lizarraga

  18. Basic Authentication Example Goal • Identify the user Process • Provide user name • Provide user password (not encrypted) Maria Lizarraga

  19. Basic Authentication • < UsernameToken> • <Username> • <Password> Basic Authentication Request Example Basic Authentication Response Example Maria Lizarraga

  20. Security Tokens Security Tokens used to Authenticate • Basic Authentication • Login/Password • Digital Signature • Public Key/Private Key • ID Assertion • Single Sign-On • LTPA – Lightweight Third Party Authentication • Single Sign-On • Forwardable Credentials Maria Lizarraga

  21. Assertions Maria Lizarraga

  22. LTPA Maria Lizarraga

  23. Hash Message Authentication Code (HMAC) <wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">     <wsse:Username> CompetitiveLoanService</wsse:Username> <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce> <wsu:Created> 2003-06-12T09:00:00Z </wsu:Created> </wsse:UsernameToken> Maria Lizarraga

  24. WebSphere Implementation Wizard support for: • XML Encryptions • XML Digital Signatures (One or the other, not both for <body> of message) Without Wizardry: • Security Tokens • Basic Authentication • Digital Signatures • Assertions • LTPA • Multiple Encryption on any part of message • Multiple Digital Signatures on any part of message Maria Lizarraga

  25. Summary • Web Service Architecture • SOAP • Implementing Security Services • Integrity  XML Digital Signature • Confidentiality  XML Encryption • Authentication  Security Tokens Maria Lizarraga

  26. References • XML Signature WG (specification), http://www.w3.org/Signature/ • XML Encryption WG (specification), http://www.w3.org/Encryption/2001/ • OASIS Security Services (SAML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security • OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml • SOAP Tutorial, http://www.w3schools.com/soap • Specification: Web Services Security (WS-Security), http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ Maria Lizarraga

More Related