1 / 19

Web Data and Application Security CSCE 201

Web Data and Application Security CSCE 201. References – Recommended only. Web Services Choreography Working Group , http://www.w3.org/2002/ws/chor/

kathie
Télécharger la présentation

Web Data and Application Security CSCE 201

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Data and Application Security CSCE 201

  2. References – Recommended only • Web Services Choreography Working Group , http://www.w3.org/2002/ws/chor/ • Web Services Federation Language (WS-Federation), http://msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation.asp/ • A Case Study of the WS-Security Framework, http://www.cs.ucsb.edu/~gayatri/Presentations/WS%20Case%20Study.ppt • Web Services Choreography and Process Algebra, http://www.daml.org/services/swsl/materials/WS-CDL.ppt • WS Choreography Overview, http://xml.coverpages.org/BurdettWSChoreographyOverview200306.ppt • BPEL Overview, http://www.oracle.com/technology/tech/webservices/ppt/BPELOverview.ppt#1 • J. Yang, D. Wijesekera, S. Jajodia, Subject switching algorithms for access control in federated databases, http://portal.acm.org/citation.cfm?id=863748&dl=acm&coll=&CFID=15151515&CFTOKEN=6184618

  3. Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services

  4. WS-Security • WS-Security (Web Services Security): a communications protocol providing a means for applying security to Web Services • From: originally by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open • Defines how integrity and confidentiality can be enforced on Web Services messaging • Use of SAML and Kerberos, and certificate formats • Incorporates security features in the header of a SOAP message, working in the application layer (different from TLS-based security)

  5. WS Policy • WS-Policy: a specification that allows web services to use XML to advertise their policies (on security, Quality of Service, etc.) and for web service consumers to specify their policy requirements

  6. Secure WS Development • Inherent Security of Web Services • Security of the services Security Software  Software Security Computer Science and Engineering 6

  7. WS Security Outline • Data Security • Metadata Security • Application Security

  8. Web Application Security

  9. Security Requirements - Identity Management: Each entity must be able to identity itself to the party it wants to communicate with - Policy Management: Each entity enforces policies with other entities. E.g. message format, who has access to what, what one needs to process. - Secure Messaging: authentication, confidentiality, integrity, non-repudiation

  10. Applications Users User and Transactional Security WebServers Business transaction model based on XML and Web Services Applications exchange transactions – users are not directly involved Sender may not originate transactions; does not know the final destination Security requirements are based on the content of transaction – not the identity of the applications Transactional Security User Security

  11. WS Business Model • Web-Service Orchestration is a form of a composition • A central controller invokes the individual services in the • workflow based on a workflow specification • BPEL provides the required constructs to define a • workflow and individual service invocations

  12. BPEL Fault-Handler • BPEL faults are of two types: • business faults: application specific faults returned by a service invoked • runtime faults: triggered or detected by the environment • Handling runtime faults requires finding a replacement for the failed service

  13. Example • Both the flight services (f1 and f2), are star_alliance • partners • The car booking service (c1) only provides a pickup for the • passengers from a hotel that is located within a 5-mile radius • The output of the payment service (p) is encrypted with • 256-bit encryption

  14. Design Considerations • Reliability, based on the recovery from a failed component service. This involves: rerouting of processes that have already begun execution • Efficient recovery from a failure of component services • Separation of code from the actual business logic • Service selection based on the composition constraints (business rules)

  15. Secure and Fault Tolerant BPEL

  16. Service Selection Algorithm • finds a replacement service if documented: the algorithm will find a replacement service if it is explicitly defined or selection is based on the service categories • is correct: selection of the service must be such that it satisfies the business and security requirements given as rules • efficiency: The time complexity of the algorithm primarily arises from the inference engine – small number of rules

  17. Security and Privacy - Today • Today transactions are secured using WSS toolkits to implement the Web Service security standards • Usually support for X.509 Certificates or password credentials SWS + password / X.509 Cert HTML

  18. Security and Privacy – “Tomorrow” • SAML Tokens for use in WSS security headers to support Federated Identities • User Authentication supplied by CT/FIM • Requests SAML assertions from SAML authority to build SAML tokens • Crossover from Browser/User security world to Web Services WSS withSAML WSS + SAML Token HTML Login SAML Assertions SAML Authority

  19. Security and Privacy – “Tomorrow” • Web services infrastructure moves toward WS-Trust credential servers for token issuance and support of WS-Federation • WS-Trust toolkits provide messaging and protocol support for development of clients and servers WS-Trust WSS+Token WS-Trust Server Tk WS-Federation Ids Tokens WS-TrustCredential Server

More Related