RY-Presentation - Center for Adaptive Optics
Download
Report
Transcript RY-Presentation - Center for Adaptive Optics
Web Service Security
Through A Guard
Roxanne Yee
Home Institution: University of Hawaiʻi at Mānoa
Internship Site: Akimeka, LLC
Mentor: Marc Lefebvre
Advisor: Todd Lawson
1
Presentation Overview
Project Hierarchy and Motivation
Background and Terminology
Guard
Web Service Security
My Specific Part
Test Bench
An Example
Questions
2
Information Assurance (IA) Group
Cross Domain Solutions (CDS) Group
GWSG (Global Web Services Gateway) Project
Service Oriented Architecture (SOA) Test Lab
Customers
National Security Agency (NSA)
Defense Information Systems Agency (DISA)
3
GWSG Project Motivation
Goal
To enhance the capabilities of a user on a
classified network to gain immediate access to
data available on an unclassified network
Classified
Network User
Unclassified
Database
4
GWSG Project Motivation
One Method Currently Used To Access Data
Classified
Network
User
(Soldier)
Classified
Database
Unclassified
Database
Sneaker-net
5
GWSG Project Motivation
Disadvantages to Current Methods
Redundancies of Data
Time Costly
Replication
Transportation
Need For Data Synchronization
Frequent Updates
No Guarantee of Data Availability
Extra Manpower by Man-In-The-Loop
6
GWSG Project Motivation
New Cross Domain Solution (CDS)
Web Services Technology
Classified
Network
User
(Soldier)
Guard
Unclassified
Database
7
SOA Test Lab Component
Goal
Evaluate Guards Specified by NSA and DISA
Compare capability and effectiveness to process
message formats used by web services today
Provide the best guard solution given a specific
situation in which the guard would be applied
8
My Part In The SOA Test Lab
Research and Document How To Implement
Web Service Security
Controlled and Predictable Environment
Test Web Service
Findings To Be Used In SOA Test Lab
Foundation
Template
9
WSS, SOAP, and HTTP
WSS or WS-Security (Web Service Security)
OASIS (Organization for the Advancement of Structured
Information Standards)
Applied to SOAP Messages
SOAP (Simple Object Access Protocol)
Message Format
HTTP (Hypertext Transfer Protocol)
Transport Protocol
10
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
Server
(Axis2)
* SOAP Request and SOAP Response
11
The Project: Open-Source Software
Server Side
Tomcat 6.0.16
Axis2 1.4
Rampart 1.4
Client Side
soapUI 2.0.2
12
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Request with WSS
Server
(Axis2)
13
soapUI Outgoing Configuration
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Interface Used to Apply WSS to Request To Server
14
Usual Request soapUI
Sends w/o WSS
A SOAP Message Request w/o WSS
<soap: Envelope
xmlns:soap=“http//sample01.policy.samples.rampart.apache
.org” xmlns:sam=“http://www.w3.org/2003/05/soapenvelope”>
<soap:Header/>
<soap:Body>
<sam:echo>
<!--Optional:-->
<sam:param0>Hello?</sam:param0>
</sam:echo>
</soap:Body>
</soap:Envelope>
15
Additional WSS Informational
Applied To Usual Request soapUI
A SOAP Message Request Header with WSS
<soap:Header>
<wsse:Security soap:mustUnderstand=“true”
xmlns:wsse=“http://…secext-1.0.xsd”>
<wsse:UsernameToken wsu:Id=“UsernameToken-22786527”
xmlns:wsu:=“http://…utility-1.0.xsd”>
<wsse:Username>alice</wsse:Username>
<wsse:PasswordType=“http://... wss-username-tokenprofile-1.0#PasswordText”>bobPW
</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
16
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Response with WSS
Server
(Axis2)
17
Usual Configuration Scheme
For A Service on The Server
services.xml Without Rampart
<?xml version="1.0" encoding="UTF-8"?>
<service>
<operation name="echo">
<messageReceiver class=
"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass" locked="false">
org.apache.rampart.samples.policy.sample01.SimpleService
</parameter>
<module ref="addressing" />
<!-- RAMPART CONFIGURATION MAY OCCUR HERE -->
</service>
18
Additional Code To Tell Rampart
What Type of WSS To Expect
services.xml with Rampart
<module ref="rampart" />
<wsp:Policy wsu:Id="UT" xmlns:wsu="http://…”
xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All>
<sp:SupportingTokens xmlns:sp="http://…/securitypolicy">
<wsp:Policy><sp:UsernameToken sp:IncludeToken=
"http://…/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://…>
<ramp:user>username</ramp:user>
<ramp:passwordCallbackClass>
org.apache.rampart.samples.policy.sample01.PWCBHandler
</ramp:passwordCallbackClass>
</ramp:RampartConfig>
19
</wsp:All></wsp:ExactlyOne></wsp:Policy>
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Messages with WSS
Server
(Axis2)
20
The Project: Ultimate Purpose
Classified
Unclassified
XML
Firewall
XML
Firewall
Client
(soapUI)
* SOAP over HTTP
with WSS
Guard
localhost
Server
(Axis2)
* Proprietary Format over
Proprietary Protocol 21
WSS Mechanisms Attempted
User Name Token
Username and Password
Timestamp
Time to Live
Encryption
Confidentiality
Signature
Integrity and Authentication
22
An Example: Test Web Service
“Hi!”
Client
Server
“Hi!”
23
An Example: Valid User Name Token
Correct
Username
And
Password
Client
Server
Echo
24
An Example: Invalid User Name Token
Incorrect
Username
And/Or
Password
Client
Server
Error
25
An Example: Test Results
Username
Password
Result
Correct
Correct
Echo
Incorrect
Incorrect
Error
Blank
Blank
Error
Correct
Incorrect
Error
Correct
Blank
Error
Incorrect
Correct
Error
Incorrect
Blank
Error
Blank
Correct
Error
Blank
Incorrect
Error
26
Actual SOA Test Lab Setup
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
27
Acknowledgements
VP Operations
Matt Granger
Program Manager
Todd Lawson
Mentor
Marc Lefebvre
GWSG
Bryan Berkowitz
Casey McGinty
Scott Oshita
Christopher Paris
Derek Terawaki
Helpful Coworkers
Conrado Cortez
Deanna Garcia
Mark Mizubayashi
Former Cubiclemates
Ellen Federoff
Kelly Ledford
And Everyone Else Who
Made Me Feel Welcome!
28
Acknowledgements
Funding
Center for Adaptive Optics (CfAO)
National Science Foundation and
Technology Center Grant
(#AST-987683)
Akamai Workforce Initiative
National Science Foundation
Grant and Air Force Office of
Scientific Research Grant
(#AST-0710699)
University of Hawaiʻi Grant
Maui Akamai
Internship
Program
Program Staff
Lisa Hunter
Lani LeBron
Scott Seagroves
Lynne Raschke
Short Course Instructors
Dave Harrington
Ryan Montgomery
Isar Mostafanezhad
Mark Pitts
Sarah Sonnet
And Everyone Else Who Contributed To This Valuable Experience!
29
Thank you!
Any Questions?
30