Web Services Enhancement

1

• Web Services Enhancement
• WSE 2.0
• Security and Messaging
• ???? ????
• yair_at_wsdl.org.il

2
??????

• Web Services Enhancement 2.0
• ?? ?? ??? ????
• Service Oriented Architecture (SOA)
• WS-Security and WS-Policy
• ?????, ????? ?????? ??????? SOAP
• ????? ???????? ????? X.509 ?? ?????? ????.
• ????? ????? ??????? ???????/?????? ??? ??? ???.
• Messaging and WS-Addressing
• ?????
• ??????, ???????, ??????? ???, ?????? ?????? ?????

3
?? ?? ???? ????- Web Service

• "????" ?? ?????? ?????? ?? ??????? ????? ?????
  ??????

4
SOAP

• XML-based protocol for the exchange of structured
  and typed information between peers in a
  decentralized, distributed environment

5
SOAP Envelope

• A SOAP envelope defines an optional header and a
  mandatory body

Header
Infrastructure semantics
Body
Application semantics
6
?????? SOAP ???? WSE
ltsEnvelope xmlnss'http//www.w3.org/2003/05/soa
p-envelope' xmlnsa'http//schemas.xmlsoap.org/
ws/2003/03/addressing'gt ltsHeadergt
ltaTogthttp//example.org/weather/uslt/aTogt
ltaActiongthttp//example.org/weather/forecastlt/wsa
Actiongt ltaReplyTogt. . .lt/aReplyTogt
lt/sHeadergt ltsBodygt . . . lt/sBodygt lts/Envelop
egt
Request
SOAP 1.2
ltsEnvelope xmlnss'http//www.w3.org/2003/05/soa
p-envelope' xmlnsa'http//schemas.xmlsoap.org/
ws/2003/03/addressing'gt ltsHeadergt
ltaTogthttp//example.org/weatherrequestorlt/aTogt
ltaActiongthttp//example.org/weather/forecastRlt/
wsaActiongt ltaRelatesTo RelationshipType'wsa
Response' gt . . . lt/aRelatesTogt
lt/sHeadergt ltsBodygt . . . lt/sBodygt lts/Envelop
egt
Response
SOAP 1.2
7
Service Oriented Architecture

• ?????? ???????
• ????????? ??? ????
• ?????? Schema ?? (wsdlxsd) Class
• ?????? ?????? ??????? (ws-policy)

8
Microsoft ??????? ???? -????? ???

• ?? ???? ??? ????!
• Indigo ?????
• ????? ASMX, Enterprise Services, .Net Remoting
• Service Oriented for the Average Person ????
  ???? ?COM
• ???? ?? ???? ????????? (CLR) ?? ???? ???????
  (SERVICES)
• ??? ??? ??????/??????
• WSE- ??? ??????
• ???????security , messaging
• ????? ???? ws-mashoo ?? ???? ????? Indigo
• ???? ??????????
• ??? ?? ????.
• ???? ????? ????
• ????? ???? !

9
WSE
10
Process Model

• SOAP messages are processed as they cross
  application boundaries utilizing a pipeline of
  filters
• Filters are responsible for processing SOAP
  headers

11
Receiving a message
.exe
IIS
Custom token handlers
Custom Policy handlers
WSERuntime
Policy
Routing
Security
Timestamp
12
Sending a message
.exe
IIS
Custom token handlers
Custom Policy handlers
WSERuntime
13
Advanced Web Services Specifications
14
Security

• SSL vs. WS-Security
• Authentication
• Authorization
• Signatures
• Asymmetric Encryption
• Policy

15
Secure CommunicationProtocol-level security (
i.e. SSL )

• Encrypts the entire message
• Sender must trust all intermediaries
• Restricts protocols that can be used (i.e. https)

SSL Only Secure The Pipes !
16
Security in the Message

• HTTP security (SSL) is point-to-point

• WS-Security provides context over multiple end
  points.

17
Web Service Security Foundations

• Authentication who are you?
• Authorization what are you allowed to do?
• Secure Communication
• Confidentiality can anyone else understand what
  your saying?
• Integrity has the message been tampered with?

18
WSE 2.0 - Security

• UserName Security Tokens
• Derived userNameToken
• Principles
• X.509 Security Tokens
• NEW Support for Kerberos Security Tokens
• Works with Windows Integrated Security

19
Authentication With Username Tokens
20
Authorization Techniques

• Programmatic

If token.Principal.IsInRole(yairLap/testers")
Then ' Allow user to perform action End If

• Policy-based
• WSE supports the use of Policy for Role-based
  Authorization
• Works without having to write code

21
Derived Security Token

• The DerivedKeyToken creates a different key for
  each message
• Ensures a different key is used for each message
• Makes a cipher-only attack more difficult
• Use it wherever possible!

22
Role-Based Custom Authentication With Username
Tokens
23
Cryptography Review
24
Creating A Digital Signature
Message or File
Digital Signature
128 bits Message Digest
WSE provides great security for services
Jrf843kjfgfHdif7oUsd_at_ltCHDFHSD(
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMdrkve
gMs
AsymmetricEncryption
Hash Function (SHA, MD5)
25
Verifying A Digital Signature
Digital Signature
Jrf843kjfgfHdif7oUsd_at_ltCHDFHSD(
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
Asymmetric Decryption
Sent with message
Original Message
WSE provides great security for services
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
Same Hash function
26
Signing Messages
27
Message EncryptionSender
Receiver's Public Key
Encrypted Key
Generated Key
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
Symmetric
Encrypt
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
WSE provides great security for services
Encrypt
28
Message EncryptionReceiver
Receiver's Private Key
Encrypted Key
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
Decrypt
WSE provides great security for services
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMd
rkvegMs
Decrypt
29
Binary Tokens

• X509 Tokens
• Provides a way to encode X509 certificates
• Supplied by Certificate Authority such as Windows
  Certificate Services
• Contains public key and digital signature from
  Certificate Authority
• Supports asymmetric encryption and signing

30
Binary Tokens

• Kerberos Tokens
• Encodes Kerberos Tickets
• Supports signing and encryption using a symmetric
  key
• Retrieved from Kerberos Distribution Centre
• WSE automatically creates Principal
• Custom Tokens
• WSE supports custom Binary and XML tokens

31
Signing Encryption With X509 Certificates
32
Secure Conversation
Request for SCT
SCT Issued to client
Series of messages signed with issued SCT
Client
Server
33
WSE2.0 Security Policy

• ????? ?????? ????? ???? ?????? ??????
• ?? ???? ? - Security Tokens
• ??? ?????? ?? ????? ?? ??? ?? ??? ?
• ??? ???? ???????? ????? ?
• Role membership restrictions

?? ????? ????? ??????, ??? ????? ?-Administrator
WS-Policy WS-PolicyAssertions WS-SecurityPolicy
34
PolicyWS-SecurityPolicy

• Describes the security requirements of a web
  service
• Provides a way of specifying
• Supported Token types
• Signing and encryption requirements
• Role-based authorization decisions
• Secure Conversation requirements

35
Configuring Security Policy
36
Transporters

• WSE 2 allows developers to build custom network
  transports.
• Custom transports allow the transmission of SOAP
  messages over network transports other than HTTP
• The following pages provide sample code for WSE 2
  custom transports

• Soap.smtp (http//hyperthink.net/blog/PermaLink,gu
  id,d337a6f5-a0c8-45b8-920e-132391eedc31.aspx)
• Soap.udp (http//www.dynamic-cast.com/mt-archives/
  000056.html)
• Soap.sql (http//mtaulty.com/blog/archive/2004/06/
  10/465.aspx)
• Soap.msmq (http//www.codeproject.com/useritems/So
  apMSMQ.asp)
• Soap.mmfile (http//www.mug.org.ar/CSharp/Descarga
  sCS/DescargasCSCode/Downloads_GetFile.aspx?id659)
  
• Soap.namedpipes (http//www.mug.org.ar/CSharp/Desc
  argasCS/DescargasCSCode/Downloads_GetFile.aspx?id
  660)

37
WSE 2.0 TCP Messaging

• Communication within a process
• Over TCP asynchronously
• Over TCP in Request/Response manner
• ??? ?????? ??????

38
WSE 2.0 Addressing

• WS-Addressing
• WS-Addressing vs. WS-Routing (WSE 1.0)
• To
• From
• Action
• SOAPAction HTTP
• Action - Non HTTP
• ReplyTo
• Fault

39
Microsoft Web Services Tools Roadmap
V3.0
V2.0
V1.0 Longhorn
V3.0
Beta 2 (? Go Live)
V2.0
V1.1
V2.0
V1.0
Beta 1
V1.0
SDK
V1.0
Indigo
Web Services Enhancements
.NET Framework
SOAP Tool Kit
40
Resources (Links)

• http//msdn.microsoft.com/webservices
• http//www.ws-i.org
• http//www.magen.co.il

41
?????

• Web Services Enhancement 2.0
• ?? ?? ??? ????
• Service Oriented Architecture (SOA)
• WS-Security and WS-Policy
• ?????, ????? ?????? ??????? SOAP
• ????? ???????? ????? X.509 ?? ?????? ????.
• ????? ????? ??????? ???????/?????? ??? ??? ???.
• Messaging and WS-Addressing
• ?????
• ??????, ???????, ??????? ???, ?????? ?????? ?????