identity patterns and anit-patterns in real world web services
DESCRIPTION
Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ ColomboTRANSCRIPT
![Page 1: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/1.jpg)
Identity patterns & anti-patterns in real world web services
~ By Prabath Siriwardena, WSO2
![Page 2: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/2.jpg)
![Page 3: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/3.jpg)
![Page 4: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/4.jpg)
![Page 5: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/5.jpg)
![Page 6: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/6.jpg)
![Page 7: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/7.jpg)
![Page 8: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/8.jpg)
![Page 9: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/9.jpg)
![Page 10: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/10.jpg)
![Page 11: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/11.jpg)
![Page 12: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/12.jpg)
![Page 13: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/13.jpg)
Proof of identity
![Page 14: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/14.jpg)
Something you know…
![Page 15: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/15.jpg)
Something you have…
![Page 16: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/16.jpg)
Something you are…
![Page 17: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/17.jpg)
Multifactor Authentication
![Page 18: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/18.jpg)
![Page 19: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/19.jpg)
![Page 20: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/20.jpg)
Anyone can access my Service
![Page 21: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/21.jpg)
![Page 22: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/22.jpg)
![Page 23: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/23.jpg)
WSDL
WSDL
WSDL
![Page 24: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/24.jpg)
WSDL
WSDL
WSDL
![Page 25: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/25.jpg)
Transport Level SecurityVs
Message Level Security
![Page 26: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/26.jpg)
Transport Level Security
![Page 27: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/27.jpg)
Message Level Security
![Page 28: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/28.jpg)
<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password Type="..."> ... </wsse:Password><wsse:Nonce EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>
![Page 29: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/29.jpg)
BasicAuth with Transport Level Security
![Page 30: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/30.jpg)
Direct Authentication Pattern
Problem :
How to avoid anonymous users accessing a web service
![Page 31: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/31.jpg)
Direct Authentication Pattern
Solution :
The web service acts as an authentication service to validate credentials from the client.
![Page 32: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/32.jpg)
Direct Authentication Pattern
Implementation(s) :
UsernameToken with WSSEBasicAuth with TLS
![Page 33: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/33.jpg)
![Page 34: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/34.jpg)
![Page 35: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/35.jpg)
Exception Shielding Pattern
Problem :
Exception data output by a service containing implementation details could compromise the security of the service
![Page 36: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/36.jpg)
Exception Shielding Pattern
Solution :
Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers
![Page 37: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/37.jpg)
Users OUT SIDE Our Domain Need ACCESS
![Page 38: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/38.jpg)
Direct Authentication needs us to maintain user credentials internally
![Page 39: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/39.jpg)
We don’t have the credential of external
users
![Page 40: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/40.jpg)
Direct Authentication doesn’t solve our problem
![Page 41: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/41.jpg)
Can’t we delegate Authentication to the External Domain itself
![Page 42: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/42.jpg)
![Page 43: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/43.jpg)
![Page 44: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/44.jpg)
![Page 45: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/45.jpg)
![Page 46: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/46.jpg)
WS-TRUST
![Page 47: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/47.jpg)
Brokered Authentication Pattern
Problem :
How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate
![Page 48: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/48.jpg)
Brokered Authentication Pattern
Solution :
Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party
![Page 49: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/49.jpg)
Brokered Authentication Pattern
Implementation(s) :
WS-TrustOpenID, Information Cards, OAuth
![Page 50: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/50.jpg)
How do we know the legitimacy of the third party
Security Token Service ?
![Page 51: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/51.jpg)
![Page 52: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/52.jpg)
Data Origin Authentication Pattern
Problem :
How do we prevent an attacker from manipulating messages in transit between a client and a web service.
![Page 53: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/53.jpg)
Data Origin Authentication Pattern
Solution :
Validate message integrity and non-repudiation with message signature
![Page 54: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/54.jpg)
Our services access downstreamresources with the
authenticated user’s credentials
![Page 55: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/55.jpg)
This could bring security risks –and make down stream resources
vulnerable to attacks
![Page 56: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/56.jpg)
How about controlling user access to the down stream resources
![Page 57: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/57.jpg)
Service acts as the client –with service’s credentials
![Page 58: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/58.jpg)
![Page 59: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/59.jpg)
Trusted Sub System Pattern
Problem :
A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.
![Page 60: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/60.jpg)
Trusted Sub System Pattern
Solution :
The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers
![Page 61: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/61.jpg)
Patterns @ Work…
![Page 62: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/62.jpg)
![Page 63: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/63.jpg)
![Page 64: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/64.jpg)
Message Interceptor Gateway Pattern
Problem :
Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.
![Page 65: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/65.jpg)
Message Interceptor Gateway Pattern
Solution :
Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.
![Page 67: Identity patterns and anit-patterns in real world web services](https://reader033.vdocuments.us/reader033/viewer/2022042813/54c2b68e4a795998098b461a/html5/thumbnails/67.jpg)
Thank You…!!!