Web Service Security

Download Report

Transcript Web Service Security 

Web Service Security
Akylbek Zhumabayev
September 2008
Agenda
•
•
•
•
•
•
•
•
•
Security Fundamentals
Web Service (WS)
Transport vs. Message
Interoperability
Open Standards
WS Architecture
Implementations
WS-I
Conclusion
Security Fundamentals
•
•
•
•
Cryptography: Symmetric vs. Asymmetric
Hash, Digest, Signature, Certificate
“In-depth” strategy
Security Dimensions
– Confidentiality
– Integrity
– Authentication
– Authorization
– Logging
Web Service (WS)
• SOA – loose coupling (opposite RPC)
• SOAP Web Service:
– Language: XML
– Message Protocol: SOAP
– Transport Protocol: HTTP
– Service Description Format: WSDL
– Service Discovery Protocol: UDDI
Transport vs. Message
Communication security
• Transport: full encryption, fast
• Message: supports intermediate nodes
Client
Message Layer
SOAP
WS
Transport Layer
Interoperability
• XML and SOAP is not enough
• OASIS and W3C developed open standards
• WS-I manages applying of standards:
– Basic Profile 1.2 (now 2.0 in progress)
– Basic Security Profile 1.1 (in progress)
• WSIT: Sun + Microsoft = 100% compatible
• Java-based solutions: JAX-RPC -> JAX-WS
Open Standards
Main WS Standards
Main WS Security
Standards
HTTP
SOAP
WSDL
UDDI
WS-Addressing
XML-Encryption
XML-Signature
WS-Security
WS-Trust
WS-Policy
WS Architecture
WS-Federation
WS-SecureConversation
WS-Trust
Communication
Layers (like onion)
Resource
WS-Security, SAML
WS-Addressing, MTOM
SOAP
XML
HTTP
Security Layer
Supporting Layer
Protocol
Language
Base Layer
WS-SecurityPolicy, XACML
WS-Policy
WSDL
XML
File System
Implementations
• Microsoft:
– Windows Communication Foundation (WCF)
• Java-based (open-source):
– Sun WSIT
– Apache Axis2
– Apache CXF
– Other proprietary or featured solutions
Java-based WS
Application
Server
WS
Framework
HTTP
Server
Metro
Geronimo
WSIT
Glassfish
WSO2
Spring
Axis2
Java 6
Tomcat
CXF
Jetty
Axis
WSI Basic Profile 2.0
•
•
•
•
•
•
•
•
HTTP/1.1
TLS 1.0
SSL 3.0
XML 1.0
SOAP 1.2
WSDL 1.1
UDDI 2.04
WS-Addressing 1.0
WS-I Basic Security Profile 1.1
•
•
•
•
•
•
WS-I Basic Profile 1.1
Simple SOAP Binding (SSBP) 1.0
Attachment Profile (AP) 1.0
XML-Signature
XML-Encryption
WS-Security 1.1
Conclusion
•
•
•
•
•
SOAP WS over HTTP is still popular
Too many WS standards
Java-based solutions have many scenarios
Insecure WS solutions are compatible
Secure WS solutions are not 100% compatible