Secure%20Web%20Services%20with - PowerPoint PPT Presentation

About This Presentation
Title:

Secure%20Web%20Services%20with

Description:

SOAP bound to HTTP/SMTP can easily pass through firewalls ... Less human scrutiny. Limitations of SOAP. Origin verification. Integrity, confidentiality ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 26
Provided by: people4
Learn more at: http://people.apache.org
Category:

less

Transcript and Presenter's Notes

Title: Secure%20Web%20Services%20with


1
Secure Web Services with
Apache Rampart/C
2
Why to secure web services?
The world is not nice, as it seems !!!
3
Threats
  • Common to distributed systems
  • Specific to web services

4
Common threats
  • Message replays
  • Identity spoofing
  • DOS attacks
  • Message alteration/Integrity
  • Confidentiality issues

5
Threats on web services
  • Public disclosure UDDI, WSDL
  • SOAP bound to HTTP/SMTP can easily pass through
    firewalls
  • Unpredictable order of service invocation
  • Less human scrutiny
  • Limitations of SOAP
  • Origin verification
  • Integrity, confidentiality

6
That's why...
  • WS-Security

7
Transport Level Vs Message Level Security
8
Why Message Level Security?
  • Multiple intermediaries
  • Operations to messages
  • Observation
  • Security even after the safe delivery
  • Non-repudiation
  • Secure specific parts of the message

?
9
Rampart/C Features
  • Timestamps
  • Username Token Profile
  • X509 Token Profile
  • SOAP message encryption
  • SOAP message signature
  • WS-Security Policy Support
  • Replay detection

10
Overview
11
Detailed Architecture
12
OMXMLSecurity
13
Apache Axis2/C deployment
  • Client
  • axis2.xml Engage
  • policy.xml Policy
  • Service
  • services.xml Engage Policy
  • axis2.xml Engage optional

14
Apache Axis2/C deployment
15
An Encrypted Message
16
Rampart/C usages
  • WSF/C
  • WSF/PHP
  • WSF/Ruby

17
Security in WSF/PHP
18
Secured WSF/PHP Client
  1. Create an array of security properties
  2. Creating a policy object populated with the above
    security property array
  3. Creating a WSSecutiyToken object
  4. Creating a WSClient object
  5. Request

19
PHP Client example
rec_cert ws_get_cert_from_file('../keys/bo
b_cert.cert') pvt_key ws_get_key_from_file
('../keys/alice_key.pem') reqMessage new
WSMessage(reqPayloadString,
array("to"gt"http//localhost/samples/secu
rity/encryption/encrypt_service.php",
"action" gt
"http//php.axis2.org/samples/echoString"))
sec_array array("encrypt"gtTRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"EmbeddedToken") policy new
WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKey
" gt pvt_key,
"receiverCertificate" gt rec_cert))
client new WSClient(array("useWSA" gt TRUE,
"policy" gt
policy,
"securityToken" gt sec_token)) resMessage
client-gtrequest(reqMessage)
20
Secured WSF/PHP Service
  1. Create an array of security properties
  2. Creating a policy object populated with the above
    security property array
  3. Creating a WSSecutiyToken object
  4. Creating a WSService object
  5. Reply

21
PHP Service example
pub_key ws_get_cert_from_file("/your/path/to/ce
rt.cert") pvt_key ws_get_key_from_file("/your
/path/to/key.pem") operations
array("echoString" gt "echoFunction") sec_array
array("encrypt" gt TRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"IssuerSerial") actions array("http//php.axi
s2.org/samples/echoString" gt "echoString") pol
icy new WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKe
y" gt pvt_key,
"receiverCertificate" gtpub_key)) svr
new WSService(array("actions" gt actions,
"operations" gt operations,
"policy" gt policy,
"securityToken" gt
sec_token)) svr-gtreply()
22
Would Rampart/C be enough?
  • NO...!!!
  • There are threats that cannot be addressed by
    WS-Security alone
  • e.g. XML bombs, SQL injection
  • Design your services carefully and use Rampart/C

23
What's ahead?
  • WS-Secure Conversation
  • WS-Trust
  • WS-Federation

24
  • Questions?

25
More readings...
  • http//wso2.org/library/2814
  • http//wso2.org/library/2917
  • http//wso2.org/library/2702
Write a Comment
User Comments (0)
About PowerShow.com