Application of XML Schema in Web Services Security

1

• Application of XML Schema in Web Services Security

Sridhar Guthula W3C XML Schema 1.0 User
Experiences 06-21-2005
2
About me

• 10 years in enterprise software business
• XML focus since 1998
• Projects
• XML Schema 1.0 validation engine, SOAP security
  framework,  XSLT 1.0 compiler, hardware based XML
  Parser.
• Large XML based language for a declarative
  constraint engine
• Storing XML documents in a RDBMS
• XML Schemas for Catalog Services, XML based RPCs
  and Workflows Systems

3
QuickTree SOAP Security Module (SSM)

• Designed from the ground up with OEM integration
  in mind, the SSM hides the complexities of XML
  processing and allows network equipment like
  Firewalls, SSL VPN devices and Load Balancers to
  inspect and secure Web Services traffic

4
SOAP Security in the Network
5
Features

• XML Denial of Service Prevention  - Checking for
  XML well-formedness, nested element depth,
  element length, message size, external entities,
  attribute length, etc
• WSDL Based Access Control  - Limit a user or
  group's access to particular services or
  operations defined in the WSDL file
• SOAP Structural and Parameter Validation
  - Prevent mal-structured SOAP messages and apply
  parameter validation using type checking with
  full support for regex based schema types
• SQL and Command Injection Protection  - Detect
  and block command injection attacks, commonly
  hidden as valid parameters
• Streaming mode interface - XML messages can be
  forwarded to the QuickTree module as they come in
  without blocking

6
QuickTree SOAP Security Module (SSM)
7

• User Experience

8
WSDL Based validation

• XML Schema 1.0 validation engine (C based)
• Generate schema by combining WSDL, XML Schema and
  SOAP
• Streaming and Hardwarized
• Structural Validation vs Data-type validation
• ACLs
• Issues
• Schema Specification
• XML Schemas with multiple target namespaces
• xsitype and encoding style
• Mapping WSDL/SOAP types to XML Schema types (Ex
  soapencarrayType)
• Versioning

9
Compliance Levels

• Support compliance/conformance levels (like
  internationalization standards)
• Structural validation and/or Data-type validation
• Data-centric or Content-centric
• Lack of different compliance levels causes
  vendors to claims full XML Schema compliance.
• Reduced user confusion and reduced cost in
  investigating vendor compliance.

10
XML Denial of Service Prevention

• Checking for XML well-formedness, nested element
  depth, element length, message size, external
  entities, attribute length, etc
• Most of the XML Schema designers do not consider
  security
• Policies QuickTree provides global and
  User-specific
• Implementation through inheritance, facets

11
Validating Canonical XML

• Support for validating canonical XML
• Canonical form of a valid xml instance should be
  valid

12
Views or Aspects

• Given XML Schemas viewed in a different light by
  different users (network admin, application
  engineer, customer)
• Support for different aspects on the same XML
  Schema
• Example Security aspect
• Conformance/Compliance Levels only do
  structural validation
• Ignore Order/Canonicalization canonical form of
  a valid xml instance should be valid
• DoS configuration values
• Xsitype support

13
Contact Info

• Sridhar Guthula
• 855 Embedded Way
• San José, CA 95138-1018
• USA
• 408-979-4800
• sguthula_at_quicktree.com

14

• Q A