© copyright iona technologies 2002 colby dyess senior engineer, xmlbus hacks, cracks and 13 year...
TRANSCRIPT
© C
opyright ION
A T
echnologies 2002
Colby DyessSenior Engineer, XMLBus
Hacks, cracks and 13 year olds! Avoiding Web Services Security Nightmares
Preparing Your Enterprise for Web Services (Part I)
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
History• Founded in Ireland in 1991; IPO on Nasdaq in 1997• Global company with headquarters in Dublin, Ireland and Waltham, MA
Financial Performance• Calendar year 2001 statistics
– Revenues $181 million (65% license / 35% services)– Positive operating margins
Team• Over 900 employees in over 30 offices worldwide with a sales force of over 300• Strong blue chip customer and partner base
IONA is a leading provider of comprehensive, standards-based enterprise infrastructure solutions for customers to build, deploy and integrate mission-critical applications that power core business processes
The IONA Story
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Integration: The “Killer App” for Web Services
• Set of industry standards for distributed computing
• Service-oriented architectures enable End to Anywhere™ integration
• E2A changes the economics of integration
• Web services is the driving technology
– Simple
– Effective
– Unanimous industry support
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Today’s Audience
• Familiar with SOAP, HTTP, SSL, WSDL and XML
• Limited exposure to security standards
• Need web service security in the near future (perhaps today!)
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
What Will be Discussed
• Security concerns
• Three layers of security
• Example uses of security layers
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Security Concerns
• Control access to services and data
• Credential validation
• Private communication
• Ensuring message integrity
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Security Layers
– Protocol– Message– Application
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Security – Protocol Layer
– Basic Authentication– Digest Authentication– SSL (HTTPS)– Mutual Authentication
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Security – Message layer
– XML-Encryption– XML-Signature– WS-Security
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Security – Application layer
– App server/container– Security Assertions Markup Language-SAML– Proprietary
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Meeting Security Needs
• Controlling access to services and data– Basic and Digest Authentication– SAML for Authorization
• Credential validation– SAML for Authentication– XML-Signature– Mutual Authentication
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Meeting Security Needs
• Private communication– SSL (HTTPS)– XML-Encryption
• Ensuring message integrity– SSL (HTTPS)– XML-Signature
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Basic Example
SOAP Body
Web Services ServerWeb Services Client
Data
Data
ServiceDataHTTP
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Entry-level Security
SOAP Body
Web Services ServerWeb Services Client
Data
Data
ServiceData
HTTPS (SSL)
Credentials
HTTP Header
Credentials
Credentials
Security System
Security Assertions
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Mid-level Security
SOAP Body
Web Services Server
Web Services Client
Data
ServiceData
HTTPS (SSL)
CredentialsHTTP Header
Credentials
Credentials
Auth. Platform
Security Assertions
Certificate
Signed data
Signed data
Certificate
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Higher-level Security
SOAP Body
Web Services Server
Web Services Client
Data
ServiceData
HTTPS (SSL)
Credentials
HTTP Header
Credentials
Credentials
Auth. Platform
Security Assertions
Certificate
SignedEncrypteddata
SignedEncrypteddata
Certificate
Encrypt
Decrypt
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Conclusions
• Security needs may vary
• There are many security levels
• Combine “security” for improved strength
• Can be adopted today!
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
18
• Integration broker platform• Connects existing applications and services• Allows creation of automated business
process flows across extended enterprise using Web Services and XML standards
• Application server platform for developing, deploying and managing business application logic
• Hosted in J2EE, CORBA or mainframe environments using Web services standards
It Takes A Platform
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Orbix E2A™
“Best Web Services Product”
Simplifies EAI, B2Bi, and BPM
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Web Services Integration Now!• Visit XMLBus.comXMLBus.com and download Orbix
E2A™ XMLBus Edition.• Sign up for IONA training on Web
services• Download IONA’s Web services white
paper at XMLBus.comXMLBus.com• Check out Orbix E2A™, the first e-
Business Platform for Web Services Integration.
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Upcoming Webcasts
Don’t forget IONA WorldOctober 27 - 30th, San Diego, CA
PART 3: B2B Collaboration: Expanding Web Services Architectures Tuesday, May 28
PART 2: Web Service Composition: Unlocking Your Interface Potential Thursday, May 23th
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Questions?
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Resources
• Open Standards– XML-Signature http://www.w3.org/Signature/
– XML-Encryption http://www.w3.org/Encryption/2001/
– W3C SOAP WG http://www.w3.org/2000/xp/Group/
– HTTP Auth http://www.ietf.org/rfc/rfc2617.txt
• IONA– Web Service Integration Platform - XMLBus Edition
http://www.xmlbus.com
– Enterprise Security in Web Services (white paper) http://www.xmlbus.com/learn/Web-Services-Security.pdf
– IONA Web service white papers http://www.iona.com/forms/wprequest.htm
– IONA XMLBus Edition newsgroup news://inews.iona.com/iona.products.orbixE2A.xmlbus
© C
opyrigh
t ION
A T
echn
ologie
s 200
2
Additional Resources
• Microsoft– XML Web Service site
http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28000442– Security in a Web Services World: A Proposed Architecture and Roadmap
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp
• IBM– XML Security Suite
http://www.alphaworks.ibm.com/tech/xmlsecuritysuite