soa - wsextension security.pptx

7/27/2019 SOA - WSExtension Security.pptx

1/30

11

Service Oriented Architecture(SOA)

Security WS-* Extensions

Security


2/30

Security WS-Security

XML-Encryption XML-Signature

2


3/30

What is WS-* Extensions?

The term "WS-*" has become a commonly usedabbreviation that refers to the second-generation Webservices specifications.

These are extensions to the basic Web services frameworkestablished by first-generation standards represented byWSDL, SOAP, and UDDI. The term "WS-*" became popularbecause the majority of titles given to second-generationWeb services specifications have been prefixed with "WS-.

(See www.specifications.ws for examples of WS-*specifications.)

3


4/30

The WS-Security framework governs a subset of thesespecifications, and establishes a cohesive and composable securityarchitecture.

The WS-Security framework provides extensions that can be used

to implement message-level security measures. These protectmessage contents during transport and during processing byservice intermediaries.

Additional extensions implement authentication and authorization

control, which protect service providers from malicious requestors.

4


5/30

Security & SOA

Security measures can be layered over any messagetransmissions to either protect the message content or themessage recipient.

The WS-Security framework and its accompanyingspecifications therefore fulfill fundamental QoSrequirements that enable enterprises to:

utilize service-oriented solutions for the processing of sensitive andprivate data

restrict service access as required

5


6/30

Security, as it relates to policies, SOAP

messages, and Web services

6


7/30

Service-oriented applications need to be outfittedto handle many of the traditional securitydemands of protecting information and ensuringthat access to logic is only granted to those

permitted.

However, the SOAP messaging communicationsframework, upon which contemporary SOA is

built, emphasizes particular aspects of securitythat need to be accommodated by a securityframework designed specifically for Web services.

7


8/30

List of Security Specifications WS-Security

WS-SecurityPolicy

WS-Trust

WS-SecureConversation

WS-Federation Extensible Access Control Markup Language (XACML)

Extensible Rights Markup Language (XrML)

XML Key Management (XKMS)

XML-Signature

XML-Encryption Security Assertion Markup Language (SAML)

.NET Passport

Secure Sockets Layer (SSL)

WS-I Basic Security Profile

8


9/30

Basic/Core Security Specifications

WS-Security

XML-Signature

XML-Encryption

Built on five security requirements:

Confidentiality

Integrity Identification

Authorization

Authentication9


10/30

Five common security requirements identification,

authentication,

authorization,

confidentiality, and

integrity.

Ex: To withdraw money from bank using a withdrawal slip.

identification (withdrawal slip), authentication (bank cardand photo ID), and authorization (pass code and bankrecord).

10


11/30

Identification

For a service requestor to access a secured service provider, it

must first provide information that expresses its origin orowner. This is referred to as making a claim.

Claims are represented by identification information stored inthe SOAP header. WS-Security establishes a standardizedheader block that stores this information, at which point it isreferred to as a token.

11


12/30

Authentication

Authentication requires that a message being delivered to a

recipient prove that the message is in fact from the sender thatit claims to be. In other words, the service must provide proofthat its claimed identity is true.

12


13/30

Authorization

Once authenticated, the recipient of a message may need to

determine what the requestor is allowed to do. This is calledauthorization.

13


14/30

Confidentiality

Confidentiality is concerned with protecting the privacy of themessage contents. A message is considered to have remainedconfidential if no service or agent in its message path notauthorized to do so viewed its contents.

14


15/30

Integrity

Integrity ensures that a message has not been altered since itsdeparture from the original sender. This guarantees that thestate of the message contents remained intact from the time oftransmission to the point of delivery.

15


16/30

Transport-level Security

16

Secure Sockets Layer (SSL), for example, is a very popularmeans of securing the HTTP channel upon which requests andresponses are transmitted. However, within a Web services-based communications framework, it can only protect amessage during the transmission between service endpoints.

Hence, SSL only affords to give transport-level security.


17/30

Message-level Security If, for example, a service intermediary takes possession of a

message, it still may have the ability to alter its contents. Toensure that a message is fully protected along its entire messagepath, message-level security is required. In this case, securitymeasures are applied to the message itself (not to the transport

channel on which the message travels). Now, regardless of wherethe message may travel, the security measures applied go with it.

17


18/30

Encryption and Digital Signatures

Methods to preserve XML documentsconfidentiality & integrity :

Message-level confidentiality for an XML-basedmessaging format, such as SOAP through XML-Encryption.

Message integrity is ensured through XML-Signature.

18


19/30

Encryption (message confidentiality) XML-Encryption, an encryption technology designed for use with

XML, is a cornerstone part of the WS-Security framework. Itprovides features with which encryption can be applied to anentire message or only to specific parts of the message (such asthe password).

XML-Encryption can be applied to parts of a SOAP header, as wellas the contents of the SOAP body.

19


20/30

Digital Signatures (message integrity) To ensure message integrity, a technology is required that is

capable of verifying that the message received by a service isauthentic in that it has not been altered in any manner since itfirst was sent. XML-Signature provides features that allow for anXML document to be accompanied by a special algorithm-drivenpiece of information that represents a digital signature. Thissignature is tied to the content of the document so thatverification of the signature by the receiving service only willsucceed if the content has remained unaltered since it first wassent.

Digital signatures also support the concept of non-repudiation,which can prove that a message containing a (usually legallybinding) document was sent by a specific requestor and deliveredto a specific provider.

When signing a document, the XML-Signature can reside in theSOAP header. 20


21/30

21


22/30

WS-Security

22


23/30

WS-Security

23


24/30

WS-Encryption

24


25/30

WS-

Encrypti

on

25


26/30

WS-Signature

26

A digital signature isa complex piece ofinformationcomprised of specificparts that each

represent an aspectof the documentbeing signed.

WS


27/30

WS-

Signature

27

XML-Signatureestablishes theSignature blockcomprised ofvarious algorithm

pointers andparts from whichthe digitalsignature isderived.


28/30

Single Sign-On Since services are autonomous and independent from each other,

a mechanism is required to persist the security contextestablished after a requestor has been authenticated. Otherwise,the requestor would need to re-authenticate itself with everysubsequent request.

The concept of single sign-on addresses this issue. The use of asingle sign-on technology allows a service requestor to beauthenticated once and then have its security context informationshared with other services that the requestor may then accesswithout further authentication.

There are three primary extensions that support theimplementation of the single sign-on concept: SAML (Security Assertion Markup Language)

.NET Passport

XACML (XML Access Control Markup Language)28

SAML (S i A i M k


29/30

SAML (Security Assertion Markup

Language) SAML implements a single sign-on system in which the point of

contact for a service requestor can also act as an issuingauthority. This permits the underlying logic of that service notonly to authenticate and authorize the service requestor, but alsoto assure the other services that the service requestor requires,

has attained this level of clearance.

Other services that the service requestor contacts, therefore, donot need to perform authentication and authorization steps.Instead, upon receiving a request, they simply contact the issuingauthority to ask for the authentication and authorization clearance

it originally obtained. The issuing authority provides thisinformation in the form of assertions that communicate thesecurity details. (The two types of assertions that containauthentication and authorization information are simply calledauthentication assertions and authorization assertions.)

29


30/30

Mechanisms of SAML

30

soa - wsextension security.pptx

Documents