Secured SOA
•
2 likes•588 views
- Securing web services involves ensuring confidentiality, integrity, authentication, and non-repudiation of messages. This can be achieved through transport security (HTTPS), message security (XML Encryption and Signature), and security tokens (UsernameToken, X.509). - WS-Security provides standards for applying security to SOAP messages using XML Signature and Encryption. It supports security tokens like UsernameToken and X.509 profiles. - WS-Trust allows delegating authentication of external users to their external domains through requesting and issuing security tokens. - WS-Security Policy allows communicating security requirements like algorithms, key sizes, signed/encrypted elements to external services in a standard way.
Report
Share
Secured SOA
- 1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
- 6. Securing a Web Service..???
- 9. People Can SEE What You Send
- 10. People Can ALTER What You Send
- 11. People Can ALTER What You Send
- 12. Anyone Can CALL Your Service
- 13. People SEE What’s On
- 14. People Can ALTER What’s On
- 15. People Can ALTER What’s On
- 16. HTTP is NOT Secured
- 17. S HTTP
- 18. HTTPS is Transport Level
- 21. Security inherited from the transport channel
- 22. Safe only while on the transport
- 23. Parts of the message CANNOT BE encrypted
- 26. BasicAuth
- 31. SSL Handshake
- 32. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
- 33. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
- 34. CERTIFICATE Public Key, Authentication Signature
- 35. CLIENT_CERT_REQUEST [Optional]
- 38. CERTIFICATE_VERIFY [Optional]
- 40. FINISHED
- 42. FINISHED
- 43. MONDAY Morning
- 44. NOT Happy With HTTPS
- 45. Requires END To END Security
- 46. Parts of message need to be Encrypted
- 47. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
- 48. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
- 50. XML Encryption
- 51. XML Signature
- 52. WS - Security
- 53. Confidentiality
- 54. Integrity
- 56. Authentication
- 57. UsernameToken
- 58. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
- 59. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
- 60. NOBODY In the Middle Can ALTER the Message
- 61. Only the Authenticated Users Can Invoke the Service
- 62. Sign & Encrypt OR Encrypt & Sign
- 63. Sign & Encrypt MessgaeSignture
- 64. XML Signature defines THREE types of signatures
- 65. <Message> <Signature> </Signature> </Message>
- 66. <Signature> <Message> </Message> </Signature>
- 68. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
- 69. Sign & Encrypt With WS-Security
- 70. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
- 71. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
- 72. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
- 73. Encrypt & Sign MessgaeSignture
- 74. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
- 75. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
- 76. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
- 77. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
- 78. DONE with My First Assignment
- 79. BUT… Paul NOT Happy
- 80. Authentication LIMITED to INTERNAL Users ONLY
- 81. Users OUT SIDE Our Domain Need ACCESS
- 82. We DON’T Have Their Credentials
- 84. Delegate Authentication to the External Domain itself
- 85. They Should Know How to Authenticate Their Own Users
- 86. We TRUST What the External Domain Says
- 88. WS-TRUST
- 89. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
- 90. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
- 91. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
- 92. Another Problem on HAND…
- 93. How Do We Communicate our Security Requirements to Outsiders ?
- 94. The Encryption Algorithm We Use…
- 95. Key Size…
- 96. Token Types…
- 97. Elements to be Signed…
- 98. Elements to be Encrypted…
- 99. Use Symmetric Key or Asymmetric Key…
- 100. WS-Security Policy
- 101. Finally… all on the White Board…
- 105. Thank You…!!!