Transcript fr32_WSS4j Apache and Axis

Using WSS4J and Axis
to Secure Web Services
in the U. S. Government
Kevin T. Smith
Technical Director,
McDonald Bradley Inc.
Agenda
• Introduction
• Part 1 – Web Services Security Implementation
for the Government’s Horizontal Fusion
Program
• Part 2 – Web Services Security for a Not-ToBe-Named Current Government Program
• Part 3 – Resources, code, etc.
Introduction
• Kevin T. Smith
– Director of SOA & Semantics Security Team (S3T) at
McDonald Bradley
– Focused on Information Assurance & SOA
• Author/Co-Author of Several Technology Books
and Articles
• Contact Info:
– [email protected] or
– [email protected]
Part 1: Horizontal Fusion
What is Horizontal Fusion (HF)?
• From Web Site (http://www.horizontalfusion.dtic.mil/) :
– “As an award-winning effort consistent with the goals and guidance for
military transformation, Horizontal Fusion has been organized to focus
technology on the information-sharing challenges of net-centric warfare
and to demonstrate innovation and benefit quickly…”
– “Horizontal Fusion deploys web-services to leverage existing and
emerging technologies in a secure environment.”
• From A Technology Perspective:
–
–
–
–
Lots of Data, Everything exposed as web services
Large amount of data, many participants, large amount of services
Much web service chaining, federated search capabilities
Government requirements mandated very strong security
HF Technology History
• 2003 – Initial Phase, Deployment of
Many Web Services
• 2004 - Developed Security Toolkit using
Apache WSS4J & Apache Axis handlers
– Done for Axis 1.1 and 1.2
– Used WSS4J “snapshot” at that point +
OpenSAML (updated WSS4J in early ’05)
• 2004-Present : In Production
HF Message Format:
NCES Security SOAP Messaging
Net-Centric Enterprise Services
http://www.disa.mil/main/prodsol/cs_nces.html
Use of SAML for Access Control
In Request:
•
For Message Requests:
– Security Roles of the User is sent in SAML in
the SOAP Header
– The Clearance of the Subject is sent in SAML
– The Security Label of the Subject’s Request is
also in SAML
•
For Message Responses:
– The Security Label of the Response is set by the
Web Service
– The Server Handler Response Controls Access
Based On The Label That Was Returned By the
Web Service
– If Label is Authorized for User, Server Handler
Creates The Return Message, entering Security
Label of the Message, and Digitally Signing The
Message Before It is returned to the Requester
SAMLAssertion
Authentication Statement
Subject Security Roles
Attribute Statement
Subject Clearance
Attribute Statement
Subject Message Label
Attribute Statement
In Response:
SAMLAssertion
Subject Message Label
Attribute Statement
Back to Message Format:
Use of SAML for Access Control
-If SAML contains attributes
And local policy is expressed,
“local” PDP was used
-If SAML contains only identity,
“central” PDP was used
About Our Use of Axis Handlers
•
Security Handlers create secure messages
–
–
•
A Client Handler (on request) adds a WS-Security Header with a SAML Assertion on behalf of a
subject (the user) (Client RequestFlow)
A Server Handler (on response) creates a WS-Security Header on behalf of the Web Service
(Server Response Flow)
Security Handlers validate messages
–
–
A Server Handler (on request) validates a web service message, can control access by role – before
the web service is called (Server RequestFlow)
A Client Handler (on response) validates the message created by the web service (Client Response
Flow)
Web Service
Client
Client
Handler
Server
Handler
Web
Service
Web Service Client Requests
WS
Client
•
WS Client creates a “SecurityInfo” object and places it in the
MessageContext for Apache Axis to use
– SecurityInfo object contains information about the Message being sent
and the Subject for which the message is being sent
– Simple Example of Instantiating SecurityInfo:
SecurityInfo sinfo = new SecurityInfo("cn=Kevin T. Smith, o=McDonald Bradley, c=US");
sinfo.addRole("user.operator");
sinfo.addRole("user.analyst");
sinfo.addSubjectClearanceDataItem("S");
sinfo.addSubjectCitizenshipDataItem("USA");
sinfo.addMessageClassificationDataItem("S");
– Examples of Passing the information to Axis:
VersionServiceLocator vsl = new
VersionServiceLocator();
Stub stubby = (Stub)vsl.getVersion();
stubby._setProperty("SECURITY_INFO"
, sinfo);
Version v = (Version)stubby;
System.out.println(v.getVersion());
javax.xml.rpc.Call call = vs.createCall(new
QName(NS,port), "getVersion");
call.setProperty("SECURITY_INFO", sinfo)
System.out.println(call.invoke(null));
Axis Client Request Flow
WS
Client
Client
Handler
• Client Handler intercepts the message as part of the Axis Handler
Chain
• Client Handler pulls the SecurityInfo object from the MessageContext
–
SecurityInfo = (SecurityInfo)messageContext.getProperty(“SECURITY_INFO”);
• Client Handler builds the WS-Security Header with WSS4J
– Adds unique MessageId
– Adds Timestamp
– Adds SAML Assertion with data from SecurityInfo object.
– Signs MessageId, Timestamp, SAML Assertion, and Message
Body with certificate to create NCES Security-Compliant Message
Axis Server Request Flow
WS
Client
Client
Handler
Server
Handler
WS
• Server Handler intercepts the request message as part of the Axis
Handler chain
• Access Control:
– Calls a service to check revocation status of certificate
– Validates the signatures on the message
– Verifies the Timestamp is within a configurable window & verifies that
messageID has not been previously used to prevent replay attack
– Determines if Subject can access this Service, based on attributes in
SAML assertion & locally expressed policy, or via a call to Policy Service
– If any of these fail, throws a SOAP fault
• Creates a SecurityInfo object from the SAML assertion passed in
• Web Service gets the message
Axis Server Response Flow
WS
Client
Client
Handler
Server
Handler
WS
• After processing the request, Web Service creates a
SecurityInfo object for the label of the data and places it in
the MessageContext before sending the response message.
• Axis Server Handler intercepts the message as part of the
Axis Handler chain.
– Determines if the message contains a SOAP Fault. If so, it stops
processing
– It creates a NCES Secure message, but the SAML assertion now
has the label of the data (no user information)
Client Response Flow
WS
Client
•
•
Client
Handler
Server
Handler
WS
Response from server is intercepted by the Client Handler as part of the
Axis Handler chain
If SOAP Fault is found in the message no authentication of message is
done
• Calls a service to check revocation status of certificate
•
•
•
•
Signature on MessageId, Timestamp, SAML Assertion, and Message
body is verified.
MessageId uniqueness is verified.
Timestamp is validated against allowed window.
Message is returned to client for processing.
Common Usage Example
4.
CVS
10.
PDS
9.
1.
5.
2.
6.
7.
3.
Portal
Client
Handler
12.
8.
IFIS
Server
Handler
18.
11.
Client
Handler
Server
Handler
SWS
Provider
17.
14.
20.
16.
19.
15.
CVS
13.
Use of WSS4J in Axis Handlers
• Original development in 2004, used it with
OpenSAML (it wasn’t a part of it back then)
• Didn’t use WSS4J handlers, but used WSS4J
objects with DOM manipulation to create
security messages & validate them:
/* Create a WS-Security header in original document*/
Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants);
/* Add more stuff to security header.. (left out for brevity)*/
/* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/
/* Now, sign parts.. */
Vector signParts = new Vector();
WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML");
signParts.add(samlP);
WSSignEnvelope signer = new WSSignEnvelope();
signer.setKeyIdentifierType(m_keyid);
signer.setUserInfo(alias, pass);
signer.setParts(signParts);
Document signedDoc = signer.build(originalDoc, sloader.getCrypto());
/* On validate.. */
WSSecurityEngine engine = new WSSecurityEngine();
engine.processSecurityHeader(doc, null, null, crypto);
Web Service Approach to Labels
and Mandatory Access Control
•
•
MAC enforcement functionality at the Handler Level
On Request:
– Authenticating Web Service Client sets clearance and citizenship of user and
security label of message
– Client Handler adds this to the message before signing It
– Web Service Server Handler controls access based on message label, security label
– based on “high water mark” of intended web service
– Web Service, before it responds, can set a security label on response message
•
On Response:
– Server Handler gets security label of message from WS returning data
– Server Handler controls label access based on user’s clearance, and the security
label of message
– Server Handler creates message with label
– Client Handler validates message
– Web Service Client Gets Response
Use of WSS4J in Axis Handlers
• Original development in 2004, used it with
OpenSAML (it wasn’t a part of it back then)
• Didn’t use WSS4J handlers, but used WSS4J
objects with DOM manipulation to create
security messages & validate them:
/* Create a WS-Security header in original document*/
Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants);
/* Add more stuff to security header.. (left out for brevity)*/
/* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/
/* Now, sign parts.. */
Vector signParts = new Vector();
WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML");
signParts.add(samlP);
WSSignEnvelope signer = new WSSignEnvelope();
signer.setKeyIdentifierType(m_keyid);
signer.setUserInfo(alias, pass);
signer.setParts(signParts);
Document signedDoc = signer.build(originalDoc, sloader.getCrypto());
/* On validate.. */
WSSecurityEngine engine = new WSSecurityEngine();
engine.processSecurityHeader(doc, null, null, crypto);
Original Code on HF Web Site
• Code with ANT build, examples, sample
keystores was put on government site in
2004
•
http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip
Part 2:
Use of WSS4J & Axis
In Current Gov’t Program
Security Architecture
• Mutual SSL authentication
between browser and web
application to authenticate user
identity
• 2-way SSL between web
application and web services to
assert message sender identity
• X.509 Certificate in WSSecurity header used to assert
user identity
• WS using another security
framework on back-end, but
needed something on client
side: Tomcat & Axis & WSS4J
2-way SSL
WSSecurity
X.509
Certificate
Token
Profile
over
2-way SSL
Browser
GUI
GUI
Web Application
Web Service
Roles
ESB
INFOSEC
Boundary
Data Services
JDBC
Data
WS
Data
JDBC
Data
A Glance at Axis/WSS4J Code
//In Servlet/JSP code:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
//..
//Put that in the property Axis uses
VersionServiceLocator vsl = new VersionServiceLocator();
Stub stubby = (Stub)vsl.getVersion();
stubby._setProperty("CLIENT_CERT", certs[0]); //passes in the X509Certificate object
Version v = (Version)stubby;
System.out.println(v.getVersion());
//In client request handler:
X509Certificate cert = (X509Certificate)inoutContext.getProperty("CLIENT_CERT");
/* Make a binarySecurityToken element */
DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document doc = builder.newDocument();
org.apache.xml.security.Init.init();
X509Security binaryToken = new X509Security(doc);
binaryToken.setX509Certificate(cert);
/* Now create a WS-Security Header, and put the Binary Token Under It */
WSSecHeader wsh = new WSSecHeader();
wsh.setMustUnderstand(false);
Element e = wsh.insertSecurityHeader(origDoc);
Node dup = origDoc.importNode(binaryToken.getElement(), true);
e.appendChild(dup);
Message newMsg = (Message)toSOAPMessage(origDoc);
inoutContext.setRequestMessage(newMsg);
Conclusion
• We found that WSS4J and Apache Axis were easy
to use to build a complex Web Services Security
Solution
• Interoperability issues –
– Originally (in early 2004) WS-Security namespace
changes made interoperability difficult
– Now, no such problems – interoperates with .NET
solutions, and Axis client handler with WSS4J in
current project interoperates well with BEA weblogic
ALSB security subsystem.
Questions?