1
Web Service Security Through A Guard
Roxanne YeeHome Institution: University of Hawaiʻi at Mānoa
Internship Site: Akimeka, LLCMentor: Marc LefebvreAdvisor: Todd Lawson
2
Presentation Overview
Project Hierarchy and Motivation Background and Terminology
Guard Web Service Security
My Specific Part Test Bench An Example Questions
3
Information Assurance (IA) Group
Cross Domain Solutions (CDS) Group
GWSG (Global Web Services Gateway) Project
Service Oriented Architecture (SOA) Test Lab
Customers National Security Agency (NSA)
Defense Information Systems Agency (DISA)
4
GWSG Project Motivation
Goal
To enhance the capabilities of a user on a classified network to gain immediate access to data available on an unclassified network
UnclassifiedDatabase
ClassifiedNetwork User
5
GWSG Project Motivation
One Method Currently Used To Access Data
UnclassifiedDatabase
ClassifiedDatabase
ClassifiedNetwork
User(Soldier)
Sneaker-net
6
GWSG Project Motivation
Disadvantages to Current Methods Redundancies of Data Time Costly
Replication Transportation
Need For Data Synchronization Frequent Updates
No Guarantee of Data Availability Extra Manpower by Man-In-The-Loop
7
GWSG Project Motivation
New Cross Domain Solution (CDS) Web Services Technology
UnclassifiedDatabase
ClassifiedNetwork
User(Soldier)
Guard
8
SOA Test Lab Component
Goal
Evaluate Guards Specified by NSA and DISA
Compare capability and effectiveness to process
message formats used by web services today
Provide the best guard solution given a specific
situation in which the guard would be applied
9
My Part In The SOA Test Lab
Research and Document How To Implement
Web Service Security Controlled and Predictable Environment
Test Web Service
Findings To Be Used In SOA Test Lab Foundation
Template
10
WSS, SOAP, and HTTP
WSS or WS-Security (Web Service Security)
OASIS (Organization for the Advancement of Structured
Information Standards)
Applied to SOAP Messages
SOAP (Simple Object Access Protocol)
Message Format
HTTP (Hypertext Transfer Protocol)
Transport Protocol
11
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client(soapUI)
Server(Axis2)
* SOAP Request and SOAP Response
12
The Project: Open-Source Software
Server Side
Tomcat 6.0.16
Axis2 1.4
Rampart 1.4
Client Side
soapUI 2.0.2
13
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client(soapUI)
Server(Axis2)
* SOAP Request with WSS
14
soapUI Outgoing Configuration
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Interface Used to Apply WSS to Request To Server
15
A SOAP Message Request w/o WSS
<soap: Envelope xmlns:soap=“http//sample01.policy.samples.rampart.apache.org” xmlns:sam=“http://www.w3.org/2003/05/soap-envelope”>
<soap:Header/>
<soap:Body>
<sam:echo>
<!--Optional:-->
<sam:param0>Hello?</sam:param0>
</sam:echo>
</soap:Body>
</soap:Envelope>
Usu
al R
equ
est
so
apU
I S
end
s w
/o W
SS
16
A SOAP Message Request Header with WSS
<soap:Header> <wsse:Security soap:mustUnderstand=“true”
xmlns:wsse=“http://…secext-1.0.xsd”> <wsse:UsernameToken wsu:Id=“UsernameToken-
22786527” xmlns:wsu:=“http://…utility-1.0.xsd”>
<wsse:Username>alice</wsse:Username> <wsse:PasswordType=“http://... wss-username-
token- profile-1.0#PasswordText”>bobPW</wsse:Password>
</wsse:UsernameToken> </wsse:Security></soap:Header>
Ad
ditio
nal
WS
S In
form
atio
na
l A
ppl
ied
To
Usu
al R
equ
est
so
apU
I
17
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client(soapUI)
Server(Axis2)
* SOAP Response with WSS
18
services.xml Without Rampart
<?xml version="1.0" encoding="UTF-8"?>
<service>
<operation name="echo">
<messageReceiver class=
"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass" locked="false">
org.apache.rampart.samples.policy.sample01.SimpleService
</parameter>
<module ref="addressing" />
<!-- RAMPART CONFIGURATION MAY OCCUR HERE -->
</service>
Usu
al C
onf
igu
ratio
n S
che
me
Fo
r A
Se
rvic
e o
n T
he
Se
rve
r
19
services.xml with Rampart
<module ref="rampart" /><wsp:Policy wsu:Id="UT" xmlns:wsu="http://…”
xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All> <sp:SupportingTokens xmlns:sp="http://…/securitypolicy"> <wsp:Policy><sp:UsernameToken sp:IncludeToken=
"http://…/IncludeToken/AlwaysToRecipient"/></wsp:Policy>
</sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://…>
<ramp:user>username</ramp:user><ramp:passwordCallbackClass>
org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig></wsp:All></wsp:ExactlyOne></wsp:Policy>
Ad
ditio
nal
Co
de T
o T
ell
Ra
mp
art
Wh
at T
ype
of W
SS
To
Exp
ect
20
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client(soapUI)
Server(Axis2)
* SOAP Messages with WSS
21
The Project: Ultimate Purpose
Client(soapUI)
Server(Axis2)
* SOAP over HTTP with WSS
* Proprietary Format over Proprietary Protocol
localhost
Classified Unclassified
GuardXML
FirewallXML
Firewall
22
WSS Mechanisms Attempted
User Name Token Username and Password
Timestamp Time to Live
Encryption Confidentiality
Signature Integrity and Authentication
23
An Example: Test Web Service
Client Server
“Hi!”
“Hi!”
24
An Example: Valid User Name Token
Client Server
Echo
CorrectUsername
AndPassword
25
An Example: Invalid User Name Token
Client Server
IncorrectUsername
And/OrPassword
Error
26
An Example: Test Results
Username Password ResultCorrect Correct Echo
Incorrect Incorrect Error
Blank Blank Error
Correct Incorrect Error
Correct Blank Error
Incorrect Correct Error
Incorrect Blank Error
Blank Correct Error
Blank Incorrect Error
27
Actual SOA Test Lab Setup
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
28
Acknowledgements
VP OperationsMatt Granger
Program ManagerTodd Lawson
MentorMarc Lefebvre
GWSGBryan BerkowitzCasey McGinty
Scott OshitaChristopher ParisDerek Terawaki
Helpful CoworkersConrado CortezDeanna Garcia
Mark Mizubayashi
Former CubiclematesEllen FederoffKelly Ledford
And Everyone Else Who Made Me Feel Welcome!
29
AcknowledgementsMaui Akamai Internship Program
Funding
Center for Adaptive Optics (CfAO)National Science Foundation
and Technology Center Grant (#AST-987683)
Akamai Workforce InitiativeNational Science Foundation
Grant and Air Force Office of Scientific Research Grant (#AST-0710699)
University of Hawaiʻi Grant
Program StaffLisa HunterLani LeBron
Scott SeagrovesLynne Raschke
Short Course InstructorsDave Harrington
Ryan MontgomeryIsar Mostafanezhad
Mark PittsSarah Sonnet
And Everyone Else Who Contributed To This Valuable Experience!
30
Thank you!
Any Questions?