soa - wsextension security.pptx
TRANSCRIPT
-
7/27/2019 SOA - WSExtension Security.pptx
1/30
11
Service Oriented Architecture(SOA)
Security WS-* Extensions
Security
-
7/27/2019 SOA - WSExtension Security.pptx
2/30
Security WS-Security
XML-Encryption XML-Signature
2
-
7/27/2019 SOA - WSExtension Security.pptx
3/30
What is WS-* Extensions?
The term "WS-*" has become a commonly usedabbreviation that refers to the second-generation Webservices specifications.
These are extensions to the basic Web services frameworkestablished by first-generation standards represented byWSDL, SOAP, and UDDI. The term "WS-*" became popularbecause the majority of titles given to second-generationWeb services specifications have been prefixed with "WS-.
(See www.specifications.ws for examples of WS-*specifications.)
3
-
7/27/2019 SOA - WSExtension Security.pptx
4/30
The WS-Security framework governs a subset of thesespecifications, and establishes a cohesive and composable securityarchitecture.
The WS-Security framework provides extensions that can be used
to implement message-level security measures. These protectmessage contents during transport and during processing byservice intermediaries.
Additional extensions implement authentication and authorization
control, which protect service providers from malicious requestors.
4
-
7/27/2019 SOA - WSExtension Security.pptx
5/30
Security & SOA
Security measures can be layered over any messagetransmissions to either protect the message content or themessage recipient.
The WS-Security framework and its accompanyingspecifications therefore fulfill fundamental QoSrequirements that enable enterprises to:
utilize service-oriented solutions for the processing of sensitive andprivate data
restrict service access as required
5
-
7/27/2019 SOA - WSExtension Security.pptx
6/30
Security, as it relates to policies, SOAP
messages, and Web services
6
-
7/27/2019 SOA - WSExtension Security.pptx
7/30
Service-oriented applications need to be outfittedto handle many of the traditional securitydemands of protecting information and ensuringthat access to logic is only granted to those
permitted.
However, the SOAP messaging communicationsframework, upon which contemporary SOA is
built, emphasizes particular aspects of securitythat need to be accommodated by a securityframework designed specifically for Web services.
7
-
7/27/2019 SOA - WSExtension Security.pptx
8/30
List of Security Specifications WS-Security
WS-SecurityPolicy
WS-Trust
WS-SecureConversation
WS-Federation Extensible Access Control Markup Language (XACML)
Extensible Rights Markup Language (XrML)
XML Key Management (XKMS)
XML-Signature
XML-Encryption Security Assertion Markup Language (SAML)
.NET Passport
Secure Sockets Layer (SSL)
WS-I Basic Security Profile
8
-
7/27/2019 SOA - WSExtension Security.pptx
9/30
Basic/Core Security Specifications
WS-Security
XML-Signature
XML-Encryption
Built on five security requirements:
Confidentiality
Integrity Identification
Authorization
Authentication9
-
7/27/2019 SOA - WSExtension Security.pptx
10/30
Five common security requirements identification,
authentication,
authorization,
confidentiality, and
integrity.
Ex: To withdraw money from bank using a withdrawal slip.
identification (withdrawal slip), authentication (bank cardand photo ID), and authorization (pass code and bankrecord).
10
-
7/27/2019 SOA - WSExtension Security.pptx
11/30
Identification
For a service requestor to access a secured service provider, it
must first provide information that expresses its origin orowner. This is referred to as making a claim.
Claims are represented by identification information stored inthe SOAP header. WS-Security establishes a standardizedheader block that stores this information, at which point it isreferred to as a token.
11
-
7/27/2019 SOA - WSExtension Security.pptx
12/30
Authentication
Authentication requires that a message being delivered to a
recipient prove that the message is in fact from the sender thatit claims to be. In other words, the service must provide proofthat its claimed identity is true.
12
-
7/27/2019 SOA - WSExtension Security.pptx
13/30
Authorization
Once authenticated, the recipient of a message may need to
determine what the requestor is allowed to do. This is calledauthorization.
13
-
7/27/2019 SOA - WSExtension Security.pptx
14/30
Confidentiality
Confidentiality is concerned with protecting the privacy of themessage contents. A message is considered to have remainedconfidential if no service or agent in its message path notauthorized to do so viewed its contents.
14
-
7/27/2019 SOA - WSExtension Security.pptx
15/30
Integrity
Integrity ensures that a message has not been altered since itsdeparture from the original sender. This guarantees that thestate of the message contents remained intact from the time oftransmission to the point of delivery.
15
-
7/27/2019 SOA - WSExtension Security.pptx
16/30
Transport-level Security
16
Secure Sockets Layer (SSL), for example, is a very popularmeans of securing the HTTP channel upon which requests andresponses are transmitted. However, within a Web services-based communications framework, it can only protect amessage during the transmission between service endpoints.
Hence, SSL only affords to give transport-level security.
-
7/27/2019 SOA - WSExtension Security.pptx
17/30
Message-level Security If, for example, a service intermediary takes possession of a
message, it still may have the ability to alter its contents. Toensure that a message is fully protected along its entire messagepath, message-level security is required. In this case, securitymeasures are applied to the message itself (not to the transport
channel on which the message travels). Now, regardless of wherethe message may travel, the security measures applied go with it.
17
-
7/27/2019 SOA - WSExtension Security.pptx
18/30
Encryption and Digital Signatures
Methods to preserve XML documentsconfidentiality & integrity :
Message-level confidentiality for an XML-basedmessaging format, such as SOAP through XML-Encryption.
Message integrity is ensured through XML-Signature.
18
-
7/27/2019 SOA - WSExtension Security.pptx
19/30
Encryption (message confidentiality) XML-Encryption, an encryption technology designed for use with
XML, is a cornerstone part of the WS-Security framework. Itprovides features with which encryption can be applied to anentire message or only to specific parts of the message (such asthe password).
XML-Encryption can be applied to parts of a SOAP header, as wellas the contents of the SOAP body.
19
-
7/27/2019 SOA - WSExtension Security.pptx
20/30
Digital Signatures (message integrity) To ensure message integrity, a technology is required that is
capable of verifying that the message received by a service isauthentic in that it has not been altered in any manner since itfirst was sent. XML-Signature provides features that allow for anXML document to be accompanied by a special algorithm-drivenpiece of information that represents a digital signature. Thissignature is tied to the content of the document so thatverification of the signature by the receiving service only willsucceed if the content has remained unaltered since it first wassent.
Digital signatures also support the concept of non-repudiation,which can prove that a message containing a (usually legallybinding) document was sent by a specific requestor and deliveredto a specific provider.
When signing a document, the XML-Signature can reside in theSOAP header. 20
-
7/27/2019 SOA - WSExtension Security.pptx
21/30
21
-
7/27/2019 SOA - WSExtension Security.pptx
22/30
WS-Security
22
-
7/27/2019 SOA - WSExtension Security.pptx
23/30
WS-Security
23
-
7/27/2019 SOA - WSExtension Security.pptx
24/30
WS-Encryption
24
-
7/27/2019 SOA - WSExtension Security.pptx
25/30
WS-
Encrypti
on
25
-
7/27/2019 SOA - WSExtension Security.pptx
26/30
WS-Signature
26
A digital signature isa complex piece ofinformationcomprised of specificparts that each
represent an aspectof the documentbeing signed.
WS
-
7/27/2019 SOA - WSExtension Security.pptx
27/30
WS-
Signature
27
XML-Signatureestablishes theSignature blockcomprised ofvarious algorithm
pointers andparts from whichthe digitalsignature isderived.
-
7/27/2019 SOA - WSExtension Security.pptx
28/30
Single Sign-On Since services are autonomous and independent from each other,
a mechanism is required to persist the security contextestablished after a requestor has been authenticated. Otherwise,the requestor would need to re-authenticate itself with everysubsequent request.
The concept of single sign-on addresses this issue. The use of asingle sign-on technology allows a service requestor to beauthenticated once and then have its security context informationshared with other services that the requestor may then accesswithout further authentication.
There are three primary extensions that support theimplementation of the single sign-on concept: SAML (Security Assertion Markup Language)
.NET Passport
XACML (XML Access Control Markup Language)28
SAML (S i A i M k
-
7/27/2019 SOA - WSExtension Security.pptx
29/30
SAML (Security Assertion Markup
Language) SAML implements a single sign-on system in which the point of
contact for a service requestor can also act as an issuingauthority. This permits the underlying logic of that service notonly to authenticate and authorize the service requestor, but alsoto assure the other services that the service requestor requires,
has attained this level of clearance.
Other services that the service requestor contacts, therefore, donot need to perform authentication and authorization steps.Instead, upon receiving a request, they simply contact the issuingauthority to ask for the authentication and authorization clearance
it originally obtained. The issuing authority provides thisinformation in the form of assertions that communicate thesecurity details. (The two types of assertions that containauthentication and authorization information are simply calledauthentication assertions and authorization assertions.)
29
-
7/27/2019 SOA - WSExtension Security.pptx
30/30
Mechanisms of SAML
30