Apache CXF Security Solutions

1,185 views
1,066 views

Published on

Presentation from ApacheCon NA 2011

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,185
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Apache CXF Security Solutions

  1. 1. Security Problems (and Solutions) for Service Oriented Applications Daniel Kulp, Talend dkulp@talend.com© Talend 2011 1
  2. 2. My BackgroundJ. Daniel KulpTalendVP - OpenSource DevelopmentASF MemberPMC for CXF, Camel, WebService, Maven, Aries.Committer for ServiceMix© Talend 2011 2
  3. 3. What I Will CoverSOA Security ConcernsTypes of Security ProblemsWS-* SolutionsREST SolutionsApache CXF extensionsThoughts for the future© Talend 2011 3
  4. 4. SOA Security ConcernsCollection of Services that make up a complex applicationthat solves complex problems.Primarily Web ServicesNOT just SOAPIncludes RESTCan include other technologies like CORBA, JMS, etc...© Talend 2011 4
  5. 5. Security ProblemsAuthenticationAuthorizationMessage ProtectionData encryptionSignaturesIntermediariesSecurity TokensPerformance© Talend 2011 5
  6. 6. WS-* Solutions“Well Defined” (OK: overly complex) specificationsWS-SecurityWS-SecureConversationWS-SecurityPolicyWS-TrustEtc....© Talend 2011 6
  7. 7. WS-SecurityHow to sign SOAP messages to assure integrity.(based onXMLDsig)How to encrypt SOAP messages to assure confidentiality.(based on XML-Enc)How to attach security tokens to ascertain the sendersidentity.X.509, Kerberos, UserNameToken, SAML© Talend 2011 7
  8. 8. WS-SecurityPolicyTries to address the “contract” of the SecurityrequirementsXML based WS-Policy fragments that describe the Securityrequirements of the serviceContains the information about what needs to beincludes, what needs to be signed, what needs to beencrypted, algorithms, etc...© Talend 2011 8
  9. 9. WS-TrustManaging Security TokensIssue, Renew, Cancel, ValidateSupport brokering trust relationships STS Consumer Provider Intermediar y© Talend 2011 9
  10. 10. WS-SecureConversationAttempt to address the “performance problem” of the WS-Security specifications.XML Signatures and Encryption using strong asymmetric keys isvery expensive. WS-SecConv allows for a simpler symmetrickey to be used after establishing a “session”.Extends WS-Trust© Talend 2011 10
  11. 11. WS-* SummaryAddresses most of the security problems (performance may bethe exception)Very complexSeveral “Profiles” defined to attempt to clarify and simplifythings© Talend 2011 11
  12. 12. Apache CXF – WS-*Covers the WS-* stuff very wellVery well testedVery actively developedHighly interopableHigh performance (relative)New in 2.5.0 is an Enterprise Ready Security Token Service© Talend 2011 12
  13. 13. RESTHTTPSBasic AuthenticationNTLM/Digest AuthenticationOAuthReally, very few “standards”© Talend 2011 13
  14. 14. Apache CXF - RESTJAX-RSOAuth 1.0 FlowsXML Message ProtectionEnvelopedEnvelopingDetachedSAMLAuth HeaderToken in MessageForm value© Talend 2011 14
  15. 15. Future WorkOAuth 2.0Single Sign-On / SAMLSAML for Bearer token in OAuth 2.0 flowsPerformance (Streaming)WS-Federation for SSOApache Fediz proposal to the Incubator© Talend 2011 15
  16. 16. More InformationCXF - http://cxf.apache.orgDistribution contains several security samplesTalend – http://talend.comTalend ESB has several code examples, tech notes and webinarscovering security topicsBlogs – http://coders.talend.comColm - http://coheigea.blogspot.com/Glen - http://www.jroller.com/gmazza/Sergey - http://sberyozkin.blogspot.com/© Talend 2011 16
  17. 17. Contact Daniel Kulp dkulp@talend.com http://dankulp.com/blog @DanKulp on Twitter© Talend 2011 17
  18. 18. Thank You© Talend 2011 18

×