secure web services with apache rampart/c. 2 why to secure web services? the world is not nice, as...
TRANSCRIPT
![Page 1: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/1.jpg)
Secure Web Services with
Apache Rampart/C
![Page 2: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/2.jpg)
2
Why to secure web services?
The world is not nice, as it seems !!!
![Page 3: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/3.jpg)
3
Threats
Common to distributed systems Specific to web services
![Page 4: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/4.jpg)
4
Common threats
Message replays Identity spoofing DOS attacks Message alteration/Integrity Confidentiality issues
![Page 5: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/5.jpg)
5
Threats on web services
Public disclosure UDDI, WSDL SOAP bound to HTTP/SMTP can easily pass
through firewalls Unpredictable order of service invocation Less human scrutiny Limitations of SOAP
Origin verification Integrity, confidentiality
![Page 6: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/6.jpg)
6
That's why...
WS-Security*
![Page 7: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/7.jpg)
7
Transport Level Vs Message Level Security
![Page 8: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/8.jpg)
8
Why Message Level Security? Multiple intermediaries
Operations to messages Observation
Security even after the safe delivery Non-repudiation Secure specific parts of the message
?
![Page 9: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/9.jpg)
9
Rampart/C Features
Timestamps Username Token Profile X509 Token Profile SOAP message encryption SOAP message signature WS-Security Policy Support Replay detection
![Page 10: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/10.jpg)
10
Overview
![Page 11: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/11.jpg)
11
Detailed Architecture
![Page 12: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/12.jpg)
12
OMXMLSecurity
![Page 13: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/13.jpg)
13
Apache Axis2/C deployment
Client axis2.xml [Engage] policy.xml [Policy]
Service services.xml [Engage + Policy] axis2.xml [Engage : optional]
![Page 14: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/14.jpg)
14
Apache Axis2/C deployment
![Page 15: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/15.jpg)
15
An Encrypted Message
![Page 16: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/16.jpg)
16
Rampart/C usages
WSF/C WSF/PHP WSF/Ruby
![Page 17: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/17.jpg)
17
Security in WSF/PHP
![Page 18: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/18.jpg)
18
Secured WSF/PHP Client
1.Create an array of security properties
2.Creating a policy object populated with the above security property array
3.Creating a WSSecutiyToken object4.Creating a WSClient object 5.Request
![Page 19: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/19.jpg)
19
$rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem');
$reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString"));
$sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken");
$policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert));
$client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token));
$resMessage = $client->request($reqMessage);
PHP Client example
![Page 20: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/20.jpg)
20
Secured WSF/PHP Service
1.Create an array of security properties
2.Creating a policy object populated with the above security property array
3.Creating a WSSecutiyToken object4.Creating a WSService object 5.Reply
![Page 21: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/21.jpg)
21
PHP Service example$pub_key = ws_get_cert_from_file("/your/path/to/cert.cert");$pvt_key = ws_get_key_from_file("/your/path/to/key.pem");
$operations = array("echoString" => "echoFunction");
$sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial");
$actions = array("http://php.axis2.org/samples/echoString" => "echoString");
$policy = new WSPolicy(array("security"=>$sec_array));$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key));
$svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token));
$svr->reply();
![Page 22: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/22.jpg)
22
Would Rampart/C be enough? NO...!!!
There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection
Design your services carefully and use Rampart/C
![Page 23: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/23.jpg)
23
What's ahead?
WS-Secure Conversation WS-Trust WS-Federation
![Page 24: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/24.jpg)
24
Questions?
![Page 25: Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!](https://reader031.vdocuments.site/reader031/viewer/2022032202/56649d965503460f94a7eaa8/html5/thumbnails/25.jpg)
25
More readings...
http://wso2.org/library/2814 http://wso2.org/library/2917 http://wso2.org/library/2702