web services security patterns , practices & threats
DESCRIPTION
Web Services Security Patterns , Practices & Threats. Prabath Siriwardena – Software Architect, WSO2. Plan for the session. Patterns. Standards. Implementations. Recurring Problems. 1995. 1997. 1999. 2004. 2005. SAML2 Web SSO. 2008/May. Direct Authentication for Web Services. - PowerPoint PPT PresentationTRANSCRIPT
Web Services Security
Patterns, Practices
&
Threats
Prabath Siriwardena – Software Architect, WSO2
Patterns
Standards
Implementations
Plan for the session
Recurring Problems
Patterns
Authentication Patterns
Confidentiality Patterns
Authorization Patterns
1995 1997
1999
2004
2005
SAML2 Web SSO
2008/May
AuthenticationPatterns
Direct Authentication
Brokered Authentication
Basic Authentication
Mutual Authentication
2-legged OAuth
Direct Authentication for Web Services
Tran
spor
t Lev
el
UsernameToken Profile with WS-Security
Signing – X.509 Token Profile with WS-Security
Direct Authentication for Web Services
Mes
sage
Lev
el
Mutual Authentication
2-legged OAuth
Brokered Authentication for Web Services
Tran
spor
t Lev
el
WS-Trust / STS
WS-Federation
Brokered Authentication for Web Services
Mes
sage
Lev
el
Signing – X.509 Token Profile with WS-Security
Kerberos Token Profile for WS-Security
Resource STS
2006/April
2006/June
2008/2009
2008/2009
2008/2009
2007/Dec
2007/Dec
AuthorizationPatterns
Direct Authorization
Delegated Authorization
AuthorizationPatterns
Direct Authorization
Delegated Authorization
ActAs in WS-Trust 1.4
2005/Feb
Message Interceptor Gateway Pattern
Trusted Sub System Pattern
Security Solution PatternsM
essa
ge L
evel
UsernameToken Profile
SOAP SecurityM
essa
ge L
evel
X.509 Token Profile & Key Referencing
Mes
sage
Lev
elSOAP Security
Key Identifiers
Direct References
Symmetric Binding Vs Asymmetric Binding
Mes
sage
Lev
elSOAP Security
Mes
sage
Lev
elSOAP Security
• WS-Security secures SOAP – focuses on message level security
• Focuses on a single message authentication model
• Each message contains everything necessary to authenticate it self
• Suitable for a coarse grained messaging in which a single message at a time from the same requestor is receivedW
S – S
ecur
e Co
nver
satio
n
Mes
sage
Lev
elSOAP Security
WS
– Sec
ure
Conv
ersa
tion
• What SSL does at the transport level in point-to-point communication, WS-SecureConversation does at the SOAP layer
• Removes the need of individual SOAP message carrying authentication information.
• Establishes a mutually authenticated security context in which a series of messages are exchanged.
• Uses public key encryption to exchange a shared secret and then onwards uses the shared key
WS-Trust
Mes
sage
Lev
elSOAP Security
Sender Vouches – Subject ConfirmationMes
sage
Lev
elSOAP Security
Mes
sage
Lev
elSOAP Security
Holder-of-Key – Subject Confirmation
WS-Security Policy
Mes
sage
Lev
elSOAP Security
