summer school - security in soa
DESCRIPTION
TRANSCRIPT
![Page 1: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/1.jpg)
Security In SOA
WSO2 Security Team
![Page 2: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/2.jpg)
Do we need security.. It’s extra
cost right…?
![Page 3: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/3.jpg)
Everything comes at a cost… security is not an option
![Page 4: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/4.jpg)
… not an option.. But
a must..
![Page 5: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/5.jpg)
Security is NOT an option – it’s
a must
![Page 6: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/6.jpg)
Security should be by design –not an after
thought
![Page 7: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/7.jpg)
We run everything on
HTTPS – aren’t we yet secured…?
![Page 8: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/8.jpg)
It’s NOT the best of the
assumptions in the world you could make…
![Page 9: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/9.jpg)
LISTEN..!!! I know
HTTPS….
![Page 10: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/10.jpg)
HTTPS helps you transfer data from one
point to another point..
Securely..
![Page 11: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/11.jpg)
That is.. HTTPS helps
you to encrypt data
transferred between a
client and a server
![Page 12: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/12.jpg)
That’s all about confidentiality –
how about integrity?
![Page 13: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/13.jpg)
ConfidentialityThe assurance that a message
has not been read by anyone other than the intended
reader
![Page 14: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/14.jpg)
IntegrityThe assurance that data is complete and accurate
![Page 15: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/15.jpg)
AuthenticationThe verification of a claimed identity
![Page 16: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/16.jpg)
With HTTPS we can have
Confidentiality, Authentication
&Integrity
![Page 17: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/17.jpg)
Service
Client
Service Authenticates to the
client
![Page 18: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/18.jpg)
Service
Client
Mutual Authentic
ation
![Page 19: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/19.jpg)
Don’t think all our clients want to
have their own certificates – can
we have user name/password
instead???
![Page 20: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/20.jpg)
Easy thing –use BasicAuth over HTTPS
![Page 21: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/21.jpg)
Wait…. Basic auth sends username / password in
clear text..right?
![Page 22: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/22.jpg)
But – we are on HTTPS and it won’t be an issue… BTW what are the
other options…
![Page 23: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/23.jpg)
The other Option is to use Digest…
![Page 24: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/24.jpg)
Let’s summarize..
Securing web
services with HTTPS
![Page 25: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/25.jpg)
Let’s summarize..
1.Provides confidentiality
through encryption
![Page 26: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/26.jpg)
Let’s summarize.. 2.Service
authenticates to the client
via certificates
![Page 27: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/27.jpg)
Let’s summarize..
3.Client can authenticate
via certificates, basic auth /
digest
![Page 28: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/28.jpg)
I need a better subject… any guesses???
![Page 29: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/29.jpg)
That’s actually Transport-level
security
![Page 30: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/30.jpg)
OMG….I remember somebody saying Transport level
security – can be insufficient….??? Who said that…?
![Page 31: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/31.jpg)
Patience…. Sir.. It’s me….
![Page 32: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/32.jpg)
I can explain….
![Page 33: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/33.jpg)
Transport level security
secures a message only during the
transfer from one point to another point.
![Page 34: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/34.jpg)
In other words.. Only while the
message is on the wire…
![Page 35: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/35.jpg)
HTTPS HTTPS
![Page 36: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/36.jpg)
When we use Transport level security [SSL] our messages are not secured on ‘intermediaries’
![Page 37: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/37.jpg)
Not – just that –we cant even
encrypt only a part of the
message – if we depend on
transport level security
![Page 38: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/38.jpg)
Need a way to get rid of
transport level security….
![Page 39: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/39.jpg)
We can handle
security at the message level…
![Page 40: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/40.jpg)
That way – we can protect
entire message or even just a part of it….
![Page 41: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/41.jpg)
Just –confidentiality is NOT enough – we
need to think about adding Integrity and
Authentication at the Message
level…
![Page 42: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/42.jpg)
Let’s start with one by one – can anyone tell me
how do we support
authentication at the message level….???
![Page 43: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/43.jpg)
It’s simple – I will add a
custom SOAP HEADER
![Page 44: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/44.jpg)
<Credentials><UserName></UserName><Password></Password>
</Credentials>
![Page 45: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/45.jpg)
I don’t like having custom headers… that kills interoperability….
![Page 46: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/46.jpg)
Yes – true – we should not try to re-implement the wheel..
![Page 47: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/47.jpg)
Okay – then somebody explain –what do we have on
our hands…?
![Page 48: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/48.jpg)
Haven’t you guys heard of
WS-Security….
![Page 49: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/49.jpg)
It defines how to achieve
confidentiality, integrity and
authentication on SOAP messages…
![Page 50: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/50.jpg)
Let me clarify – ws-security doesn’t
define new security technology….
![Page 51: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/51.jpg)
It focuses on applying existing
security technologies to SOAP messages…
![Page 52: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/52.jpg)
Wow… exactly what we wanted…
![Page 53: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/53.jpg)
For authentication –
WS-Security defines
UsernameToken
![Page 54: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/54.jpg)
<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password
Type="..."> ... </wsse:Password><wsse:Nonce
EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>
![Page 55: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/55.jpg)
I looked into the WS-Security spec – but it does NOT provide enough
details on UsernameToken….
Where else should I look
into..?
![Page 56: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/56.jpg)
Here it is – you need to look into
the UsernameToken Profile spec…
![Page 57: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/57.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…
Securing web
services with
Message level
Security
![Page 58: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/58.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…1.Defined in WS-Security specification
![Page 59: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/59.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…
2.End to end security with support for confidentiality, integrity and authentication
![Page 60: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/60.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…3.UsernameToken can be used to authenticate users to the service.
![Page 61: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/61.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…4.UsernameToken can have password in clear text or as a digest.
![Page 62: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/62.jpg)
Let’s summarize.. Your findings on
Message level security and
Username Token…5.UsernameToken defined in UsernameToken Profile specification.
![Page 63: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/63.jpg)
Let’s move forward –how about
Encryption with Message level
security
![Page 64: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/64.jpg)
With WS-Security we can encrypt
Body, Header and any of those sub-
structures…
![Page 65: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/65.jpg)
Can somebody explains me how this encryption
happens???
![Page 66: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/66.jpg)
That is basically a shared symmetric
key….
![Page 67: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/67.jpg)
It can be with a key already shared or known to both the
service and the client
![Page 68: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/68.jpg)
We are going off the topic here.. Anyway here’s
some basic explanation….
![Page 69: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/69.jpg)
Symmetric key encryption
uses a shared key for both encryption
and decryption…
![Page 70: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/70.jpg)
Public key encryption
uses different keys for
encryption and
decryption…
![Page 71: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/71.jpg)
Let me add more….
![Page 72: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/72.jpg)
Symmetric key encryption is
fast…
![Page 73: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/73.jpg)
It can operate on large plain
text messages…
![Page 74: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/74.jpg)
Symmetric key encryption uses public
key encryption to manage shared
key distribution securely
![Page 75: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/75.jpg)
Okay..okay.. I know… AES, 3DES are
shared key encryption algorithms
![Page 76: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/76.jpg)
Back to the topic…. WS-Security can also use wrapped key encryption as
well…
![Page 77: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/77.jpg)
Got the point…. If shared key being used then both
client and service have to share the
key…..
![Page 78: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/78.jpg)
If client doesn’t have a key – then a
shared key will be derived through a
key wrapping algorithm with
service’s certificate
![Page 79: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/79.jpg)
That sounds good –even client not
having a cert – we still can have
encryption…. Let’s move to the other
aspect… Integrity…..
![Page 80: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/80.jpg)
WS-Security brings XML Signature in to
SOAP messages to achieve integrity….
![Page 81: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/81.jpg)
BTW.. Signature not only gives you
integrity – but also the non-repudiation
![Page 82: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/82.jpg)
Let me add little more… if you need to know bit more
about XML Signature
![Page 83: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/83.jpg)
XML Signature defines three types
of Signatures –enveloping,
enveloped and detached. WS-
Security utilizes only Detached…
![Page 84: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/84.jpg)
Okay – that’s enough… let’s start building the big picture on WS-
Security now… from what we have
discussed so far….
![Page 85: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/85.jpg)
XML SignatureXML
EncryptionUsername
Token ProfileX.509 Token
Profile
WS - Security
![Page 86: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/86.jpg)
Now we know how to authenticate users with
message level security….
![Page 87: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/87.jpg)
Also how to add
confidentiality…
![Page 88: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/88.jpg)
And.. Integrity and
non-repudiation…
![Page 89: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/89.jpg)
Now – the question is…
who should be able to access our system???
![Page 90: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/90.jpg)
All our employees
need access…
![Page 91: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/91.jpg)
Some of our partner
companies also need access…
![Page 92: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/92.jpg)
We maintain the credentials
of our employees - so we can easily authenticate
them…
![Page 93: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/93.jpg)
How can we authenticate users from partner
companies…
![Page 94: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/94.jpg)
Let’s create individual accounts to
each of them and maintain those records
locally….
![Page 95: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/95.jpg)
What a dumb idea is that… you want
to maintain thousands of
external domain user accounts internally…
![Page 96: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/96.jpg)
We need not to trust each individual belong
to our partner companies… we only trust them until they belong to our partner
companies…
![Page 97: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/97.jpg)
Exactly – we only trust our partners only… But
we can let their employees to access our system if the company says it’s okay to give
access…
![Page 98: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/98.jpg)
In simple terms now we need to find out a way to establish trust between our partner
companies…
![Page 99: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/99.jpg)
That’s simple… let’s accept requests from out-siders - only if those requests being signed by a trusted
partner…
![Page 100: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/100.jpg)
That sounds cool.. So we’ll be
maintaining a set of public certs of
trusted partners to validate signatures
![Page 101: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/101.jpg)
This only solves part of the
problem… how about our users
who need access to external system….
How do we sign all the requests when
they go out to external services…
![Page 102: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/102.jpg)
Listen… I found some thing
interesting – WS-Trust – this exactly
solves our problem….
![Page 103: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/103.jpg)
![Page 104: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/104.jpg)
We’ll be maintaining an STS –which is
connected to our internal user store
![Page 105: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/105.jpg)
Any of our users who needs access to an external
service will send a request to our internal
STS
![Page 106: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/106.jpg)
Need to authenticate him with a
Username Token
![Page 107: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/107.jpg)
Since the internal STS is connected to the internal user store – STS can verify user credentials
![Page 108: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/108.jpg)
Once the credentials
validated, the STS will issue a token with the required claims and sign it by our private key
![Page 109: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/109.jpg)
If the external service trusts our STS – our users will let
in…
![Page 110: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/110.jpg)
Sounds GREAT..!!! It’s the same for
external users who needs access to our services… we will only trust their
STS…
![Page 111: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/111.jpg)
Let me build the BIG
picture once again…..
![Page 112: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/112.jpg)
XML Signature
XML Encryptio
n
Username Token Profile
X.509 Token Profile
WS - Security
WS - Trust
![Page 113: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/113.jpg)
Now we have secured our system…..
![Page 114: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/114.jpg)
Also we know who to trust and how….
![Page 115: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/115.jpg)
But – how do we let other’s who work with us know security standards we
use….
![Page 116: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/116.jpg)
Ah… yes… when external users
accessing our system they must provide their email address
with all their requests….
![Page 117: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/117.jpg)
Not – just that –they also have to
know encryption/signature algorithms we use….
![Page 118: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/118.jpg)
Also – we are not going to encrypt entire message – only some parts – so we need to tell them which parts
to encrypt…
![Page 119: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/119.jpg)
I am going to prepare a document which includes all our
security requirements..
![Page 120: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/120.jpg)
- Requires Email address…
- Encryption algorithms AES
- Encryption key size 256
- Encryption algorithms AES
- All the parts in the <Body> must be signed
- Parts to be encrypted depends on the service…
![Page 121: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/121.jpg)
Looks good… we need to extend this
further…And this is our security policy…
![Page 122: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/122.jpg)
There should be a standard way of
communicating our security policy to others… let me
Google….
![Page 123: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/123.jpg)
Oh.. Yes.. WS-SecurityPolicy…
![Page 124: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/124.jpg)
We can use it to express security requirements of a Web service according
to, What needs to be
protected…What tokens to use…Algorithms, reference
types, etc….
![Page 125: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/125.jpg)
We need to have different security policies for
different services… how can we associate a
security policy with a given service….
![Page 126: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/126.jpg)
That’s simple – you can point to a policy
from the WSDL
![Page 127: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/127.jpg)
But .. People may access our service
with SOAP1.1 over HTTP, SOAP 1.2
over HTTPS, SOAP 1.1 over JMS…
![Page 128: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/128.jpg)
We may need to change our policy based on different ways people
access…. If we have this pointed in WSDL – it
will be same for all those cases… right….?
![Page 129: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/129.jpg)
Okay – you want to change the
policy based on the message format and the protocol
![Page 130: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/130.jpg)
That is… you want to have different security policies
for different ‘bindings’… that is possible and it’s
the recommendation…
![Page 131: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/131.jpg)
<wsdl:binding name="HelloServiceSoap11Binding“type="ns:HelloServicePortType">
<wsp:PolicyReference xmlns:wsp=“" URI="#SgnEncrUsername" />
<soap:bindingtransport=http://schemas.xmlsoap.org/soap/httpstyle="document" />
<wsdl:operation name="greet"><soap:operation soapAction="urn:greet“
style="document" /><wsdl:input>
<soap:body use="literal" /></wsdl:input><wsdl:output>
<soap:body use="literal" /></wsdl:output>
</wsdl:operation></wsdl:binding>
![Page 132: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/132.jpg)
Now.. Let’s see how we can express some of our
requirements in WS-SecurityPolicy
![Page 133: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/133.jpg)
UsernameToken should be included….
![Page 134: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/134.jpg)
<wsp:Policy><sp:UsernameToken sp:IncludeToken=“”/>
</wsp:Policy>
![Page 135: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/135.jpg)
We should accept UsernameToken –only if they are
signed…
![Page 136: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/136.jpg)
<sp:SignedSupportingTokens xmlns:sp=""><wsp:Policy><sp:UsernameToken sp:IncludeToken=“"/>
</wsp:Policy></sp:SignedSupportingTokens>
![Page 137: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/137.jpg)
Will be using AES with 256
key size…
![Page 138: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/138.jpg)
<sp:AlgorithmSuite><wsp:Policy>
<sp:Basic256/></wsp:Policy>
</sp:AlgorithmSuite>
![Page 139: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/139.jpg)
We need entire <Body> of the message to be
signed…
![Page 140: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/140.jpg)
<sp:SignedParts><sp:Body/>
</sp:SignedParts>
![Page 141: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/141.jpg)
How about encrypting just a
part of the <Body>….
![Page 142: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/142.jpg)
<sp:EncryptedElements XPathVersion="xs:anyURI"? ... ><sp:XPath>xs:string</sp:XPath>+ ...
</sp:EncryptedElements>
![Page 143: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/143.jpg)
Also… we need to express the
requirement for the required claim set….
![Page 144: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/144.jpg)
<sp:RequestSecurityTokenTemplate xmlns:t=""><t:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
</t:TokenType><t:KeyType >
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
</t:KeyType><t:KeySize>256</t:KeySize><t:Claims Dialect=http://wso2.org/claims xmlns:ic=""><ic:ClaimType Uri="http://wso2.org/claims/email" /></t:Claims>
</sp:RequestSecurityTokenTemplate>
![Page 145: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/145.jpg)
That’s it… let’s move forward… Now we are
secured.. We know who to trust and how
to trust…
![Page 146: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/146.jpg)
We also know how to communicate our
security requirements to the rest….
![Page 147: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/147.jpg)
Let me build the BIG
picture once again…..
![Page 148: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/148.jpg)
XML Signature
XML Encryptio
n
Username Token Profile
X.509 Token Profile
WS - Security
WS - Trust
WS-Policy
WS-SecurityPo
licy
![Page 149: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/149.jpg)
Now we need to find out a way to
put this all-together…
![Page 150: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/150.jpg)
We should not expose all our services
directly to external domain…
![Page 151: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/151.jpg)
Agreed – having multiple entry point into the system could create security holes…
![Page 152: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/152.jpg)
Let’s make sure we authenticate and authorize
users centrally…. And we can load balance on that
end point….
![Page 153: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/153.jpg)
So let’s not expose any of our services to out
side….
![Page 154: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/154.jpg)
We can have proxy service and in front
and only the authenticated and authorized requests will flow through to the internal services…
![Page 155: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/155.jpg)
Authentication Module
Authorization Module
Service A
Service B
Service C
![Page 156: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/156.jpg)
This is a familiar security pattern…
Message Interceptor Gateway…
![Page 157: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/157.jpg)
Authentication Module
Authorization Module
Service A
Service B
Service C
Let me improve the diagram a
bit…..
LDAP
![Page 158: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/158.jpg)
Anybody knows what the authorization module does…? We need fine grained authorization….
![Page 159: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/159.jpg)
Yes.. Exactly… we need a way to say.. Users belong to the role X
can access Resource Y only during this particular time…
![Page 160: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/160.jpg)
We should also be able to say – any
users belong to role Z cannot access any
resources….
![Page 161: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/161.jpg)
That’ s simple – give me your requirement – I’ll right a policy
for it –and Authorization
module will evaluate it…
![Page 162: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/162.jpg)
Oh..NO… don’t panic – we need not to
reinvent the wheel… this what exactly XACML does…..
![Page 163: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/163.jpg)
Sounds good – we should go ahead with
the standards….
![Page 164: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/164.jpg)
I know XACML….
![Page 165: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/165.jpg)
It’s a specification
which defines how to
implement fine grained
authorization in a standard way…
![Page 166: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/166.jpg)
Let me add XACML to out architecture diagram…
![Page 167: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/167.jpg)
Now – under the XACMl
terminology, our Authorization
module will act as the Policy Evaluation Point [PEP]
![Page 168: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/168.jpg)
Authentication Module
Authorization Module [PEP]
Service A
Service B
Service C
LDAP
![Page 169: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/169.jpg)
PEP is not just enough – we need to have a XACML engine
to act as a Policy Decision Point….
![Page 170: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/170.jpg)
Yes…. Policy decision is made
at the PDP –PEP will build
the Auth’Z request and
contact PDP… let’s bring PDP to
the picture…
![Page 171: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/171.jpg)
Authentication Module
Authorization Module [PEP]
Service A
Service B
Service C
LDAP
PDP
![Page 172: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/172.jpg)
Then again –PDP has to
retrieve XACML policies from a policy store….
![Page 173: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/173.jpg)
Authentication Module
Authorization Module [PEP]
Service A
Service B
Service C
LDAP
PDP
Policy Store
![Page 174: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/174.jpg)
How do we going to add new policies… we also need to have a
policy administration point…
![Page 175: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/175.jpg)
Authentication Module
Authorization Module [PEP]
Service A
Service B
Service C
LDAP
PDP
Policy Store
PAP
![Page 176: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/176.jpg)
Let’s celebrate – we completed the
security design for our backend
services…
![Page 177: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/177.jpg)
Now… we need to think about how we authenticate users at the front-end….
![Page 178: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/178.jpg)
I hate passwords… how many
passwords I have to remember even
now… If this going to add another
password to that list – I am against it…
![Page 179: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/179.jpg)
I agree – too many password is a
problem…
![Page 180: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/180.jpg)
See… even within our company we need to have
different passwords to
access different systems…
![Page 181: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/181.jpg)
Okay… let’s solve the too many passwords
problem…
![Page 182: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/182.jpg)
Hey…. We need not to worry about it…
OpenID is for that…
![Page 183: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/183.jpg)
Also – OpenID facilitates
decentralized single sign on…
![Page 184: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/184.jpg)
That’s great – if we use OpenID – we only
sign in once…
![Page 185: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/185.jpg)
How can we implement this…?
![Page 186: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/186.jpg)
First thing… our web application needs to be an OpenID relying party…. That is our application will accept OpenID
logins….
![Page 187: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/187.jpg)
Also – we can run our own
OpenID Provider…
![Page 188: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/188.jpg)
Then all our web applications
will redirect users to our own OpenID Provider
for authentication….
![Page 189: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/189.jpg)
I don’t like OpenID – it’s
phishing heaven…
![Page 190: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/190.jpg)
Hey.. Man… You got it wrong… Phishing is a
separate issue –OpenID doesn’t try to address Phishing…
![Page 191: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/191.jpg)
Then who’s going to solve the
problem of solving
phishing…?
![Page 192: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/192.jpg)
Heard of Information Cards…??? It’s
going to address the issue of phishing…
![Page 193: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/193.jpg)
I know Information cards… it’s an
application of WS-Trust….
![Page 194: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/194.jpg)
We already decided to run an STS – so
we can easily become an information cards
provider too…..
![Page 195: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/195.jpg)
Then what…???
![Page 196: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/196.jpg)
Then – at the OpenID provider – we can
ask users to authenticate with
information cards –in a phishing
resistant manner….
![Page 197: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/197.jpg)
Great.. That sounds perfect….
![Page 198: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/198.jpg)
Okay.. We are almost done…
![Page 199: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/199.jpg)
But… yet we need to figure out how
to implement this…
![Page 200: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/200.jpg)
Remember guys…. The cost matters
the most….
![Page 201: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/201.jpg)
Yes.. We can’t let product vendors
kill us…
![Page 202: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/202.jpg)
So… let’s figure out available open source options
first….
![Page 203: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/203.jpg)
Let’s use WSAS to deploy our services…
![Page 204: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/204.jpg)
Who knows more about WSAS….?
![Page 205: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/205.jpg)
It is an open source, enterprise-
ready, Web services engine
based on Apache Axis2….
![Page 206: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/206.jpg)
Authentication Module
Authorization Module [PEP]
LDAP
PDP
Policy Store
Service C
Service B
Service A
PAP
![Page 207: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/207.jpg)
Now… What.. Anybody knows an open source XACMl engine….
![Page 208: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/208.jpg)
WSO2 Identity Server can do it
for sure…
![Page 209: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/209.jpg)
It’s not just an XACML engine… we can use it as
our OpenID Provider as well…
![Page 210: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/210.jpg)
Also… it comes with an
Information Card provider…
![Page 211: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/211.jpg)
Wow… that looks perfect for us…
let’s see how this fits into our architecture diagram….
![Page 212: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/212.jpg)
Authentication Module
Authorization Module [PEP]
LDAP
Policy StoreService
CService
BService
A
PAP
PDP
![Page 213: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/213.jpg)
Looks good…. hmm… a question – can we deploy Identity Server over our LDAP
server…?
![Page 214: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/214.jpg)
Yes…. That’s a must – we need to use our existing
user store….
![Page 215: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/215.jpg)
That’s easy – you can simply
connect Identity Server to our LDAP server…
![Page 216: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/216.jpg)
Exactly – it’s a matter of a simple
configuration…
![Page 217: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/217.jpg)
Okay…. That sounds good.. So… Identity Server will be our
XACMl engine, OpenID Provider and also the Information
Card provider….
![Page 218: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/218.jpg)
Authentication Module
Authorization Module [PEP]
Policy StoreService
CService
BService
A
PAP
PDP
LDAP
![Page 219: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/219.jpg)
How about the STS…? Can we use Identity Server for
that…?
![Page 220: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/220.jpg)
One more thing… we need the STS to be claim aware…
![Page 221: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/221.jpg)
… it should connect to our LDAP and pick
the user attributes from there… can Identity Server do
it?
![Page 222: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/222.jpg)
Look at this… you can do it with
Identity Server…
![Page 223: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/223.jpg)
… it has this claim management
component… we can easily configure
Identity Server STS to use our LDAP…
![Page 224: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/224.jpg)
Authentication Module
Authorization Module [PEP]
Policy StoreService
CService
BService
A
PAP
PDP
LDAP
STS
![Page 225: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/225.jpg)
Looks perfect…. What else missing…
![Page 226: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/226.jpg)
How about using WSO2 ESB… as
the service bus…?
![Page 227: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/227.jpg)
Yes… that helps us implementing
Message Interceptor
Gateway pattern easily…
![Page 228: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/228.jpg)
See this… it comes with an
Entitlement Mediator –which can
connect to the Identity Server’s XACMl engine…
![Page 229: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/229.jpg)
Wow…!!! I like whatever makes us less work…
![Page 230: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/230.jpg)
Who knows more about
WSO2 ESB….?
![Page 231: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/231.jpg)
It enables the loose-coupling of services, connecting systems
in a managed virtualized manner….
![Page 232: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/232.jpg)
…. allowing administrators to control and direct communication
without disrupting existing applications
![Page 233: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/233.jpg)
Policy StoreService C
Service B
Service A
PAP
PDP
LDAP
STS
Authentication Module
Authorization Module [PEP]
![Page 234: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/234.jpg)
Okay…. Now we need a policy
store….
![Page 235: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/235.jpg)
Let me.. Suggest this time… WSO2
Governance Registry will do
that….
![Page 236: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/236.jpg)
So.. Clever I also found the same… It’s very
much more than just a policy store – or a registry…
![Page 237: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/237.jpg)
…It is an enterprise-ready
open source product for
governing SOA deployments…
![Page 238: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/238.jpg)
Sounds great.. Let’s update the
diagram… we are almost getting to
the end….
![Page 239: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/239.jpg)
Service C
Service B
Service A
PAP
PDP
LDAP
STS
Authentication Module
Authorization Module [PEP]
![Page 240: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/240.jpg)
Looks great..!!! Finally we came up with a fully
open source solution for our security design…
![Page 241: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/241.jpg)
Thanks a lot… for your
participation…
![Page 242: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/242.jpg)
Time for questions… I am sure you guys
have many….???
![Page 244: Summer School - Security in SOA](https://reader033.vdocuments.us/reader033/viewer/2022051412/54825c3db47959050d8b4799/html5/thumbnails/244.jpg)
Thank You…!!!