Submit Search
Upload
Apache CXF Security Solutions
•
Download as ODP, PDF
•
1 like
•
1,268 views
Daniel Kulp
Follow
Presentation from ApacheCon NA 2011
Read less
Read more
Technology
Business
Report
Share
Report
Share
1 of 18
Download now
Recommended
CXF 3.0, What's new?
CXF 3.0, What's new?
Daniel Kulp
Apache CXF - New Features
Apache CXF - New Features
Daniel Kulp
Apache CXF New Directions in Integration
Apache CXF New Directions in Integration
Daniel Kulp
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXF
coheigea
Owin and katana
Owin and katana
Udaiappa Ramachandran
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2
Owin from spec to application
Owin from spec to application
damian-h
OWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIIS
Bilal Haidar
Recommended
CXF 3.0, What's new?
CXF 3.0, What's new?
Daniel Kulp
Apache CXF - New Features
Apache CXF - New Features
Daniel Kulp
Apache CXF New Directions in Integration
Apache CXF New Directions in Integration
Daniel Kulp
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXF
coheigea
Owin and katana
Owin and katana
Udaiappa Ramachandran
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2
Owin from spec to application
Owin from spec to application
damian-h
OWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIIS
Bilal Haidar
Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow
WSO2
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
ASP.NET: Present and future
ASP.NET: Present and future
Hrvoje Hudoletnjak
Spring basics for freshers
Spring basics for freshers
Swati Bansal
Introduction to OWIN
Introduction to OWIN
Saran Doraiswamy
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
Alcide
Wso2 tutorial
Wso2 tutorial
Armando Ramirez Vila
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Simon Haslam
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)
Folio3 Software
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud Service
Simon Haslam
INTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the Cloud
Simon Haslam
SQL Server 2017 CLR
SQL Server 2017 CLR
Eduardo Piairo
O que é esse tal de OWIN?
O que é esse tal de OWIN?
Andre Carlucci
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB
WSO2
Experiences of SOACS
Experiences of SOACS
Simon Haslam
Webservice security considerations and measures
Webservice security considerations and measures
Maarten Smeets
MySQL 5.7 + Java
MySQL 5.7 + Java
Mark Swarbrick
CLR Stored Procedures
CLR Stored Procedures
Harshana Weerasinghe
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
Making Sense Of Web Services
Making Sense Of Web Services
Jorgen Thelin
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
More Related Content
What's hot
Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow
WSO2
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
ASP.NET: Present and future
ASP.NET: Present and future
Hrvoje Hudoletnjak
Spring basics for freshers
Spring basics for freshers
Swati Bansal
Introduction to OWIN
Introduction to OWIN
Saran Doraiswamy
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
Alcide
Wso2 tutorial
Wso2 tutorial
Armando Ramirez Vila
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Simon Haslam
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)
Folio3 Software
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud Service
Simon Haslam
INTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the Cloud
Simon Haslam
SQL Server 2017 CLR
SQL Server 2017 CLR
Eduardo Piairo
O que é esse tal de OWIN?
O que é esse tal de OWIN?
Andre Carlucci
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB
WSO2
Experiences of SOACS
Experiences of SOACS
Simon Haslam
Webservice security considerations and measures
Webservice security considerations and measures
Maarten Smeets
MySQL 5.7 + Java
MySQL 5.7 + Java
Mark Swarbrick
CLR Stored Procedures
CLR Stored Procedures
Harshana Weerasinghe
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
What's hot
(20)
Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
ASP.NET: Present and future
ASP.NET: Present and future
Spring basics for freshers
Spring basics for freshers
Introduction to OWIN
Introduction to OWIN
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
Wso2 tutorial
Wso2 tutorial
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite Customers
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud Service
INTRODUCTION TO IIS
INTRODUCTION TO IIS
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the Cloud
SQL Server 2017 CLR
SQL Server 2017 CLR
O que é esse tal de OWIN?
O que é esse tal de OWIN?
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB
Experiences of SOACS
Experiences of SOACS
Webservice security considerations and measures
Webservice security considerations and measures
MySQL 5.7 + Java
MySQL 5.7 + Java
CLR Stored Procedures
CLR Stored Procedures
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Similar to Apache CXF Security Solutions
Making Sense Of Web Services
Making Sense Of Web Services
Jorgen Thelin
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
SSLtalk
SSLtalk
Matthew Aylard
Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA
ijsc
Designing a logical security framework
Designing a logical security framework
ijsc
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
CSCJournals
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
Luc Wijns
Session 1: The SOAP Story
Session 1: The SOAP Story
ukdpe
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
jucaab
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A Security
SOA Symposium
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Jason Townsend, MBA
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server Brochure
Bloombase
Soa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
chhoup
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Jorgen Thelin
What is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed Systems
Schalk Cronjé
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
xKinAnx
Presentation cyber defense for soa & rest
Presentation cyber defense for soa & rest
xKinAnx
Similar to Apache CXF Security Solutions
(20)
Making Sense Of Web Services
Making Sense Of Web Services
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
SSLtalk
SSLtalk
Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing a logical security framework
Designing a logical security framework
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
Session 1: The SOAP Story
Session 1: The SOAP Story
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A Security
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server Brochure
Soa And Web Services Security
Soa And Web Services Security
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
What is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed Systems
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
Presentation cyber defense for soa & rest
Presentation cyber defense for soa & rest
Recently uploaded
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Zilliz
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Recently uploaded
(20)
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Apache CXF Security Solutions
1.
Security Problems (and
Solutions) for Service Oriented Applications Daniel Kulp, Talend dkulp@talend.com © Talend 2011 1
2.
My Background J. Daniel
Kulp Talend VP - OpenSource Development ASF Member PMC for CXF, Camel, WebService, Maven, Aries. Committer for ServiceMix © Talend 2011 2
3.
What I Will
Cover SOA Security Concerns Types of Security Problems WS-* Solutions REST Solutions Apache CXF extensions Thoughts for the future © Talend 2011 3
4.
SOA Security Concerns Collection
of Services that make up a complex application that solves complex problems. Primarily Web Services NOT just SOAP Includes REST Can include other technologies like CORBA, JMS, etc... © Talend 2011 4
5.
Security Problems Authentication Authorization Message Protection Data
encryption Signatures Intermediaries Security Tokens Performance © Talend 2011 5
6.
WS-* Solutions “Well Defined”
(OK: overly complex) specifications WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust Etc.... © Talend 2011 6
7.
WS-Security How to sign
SOAP messages to assure integrity.(based on XMLDsig) How to encrypt SOAP messages to assure confidentiality. (based on XML-Enc) How to attach security tokens to ascertain the sender's identity. X.509, Kerberos, UserNameToken, SAML © Talend 2011 7
8.
WS-SecurityPolicy Tries to address
the “contract” of the Security requirements XML based WS-Policy fragments that describe the Security requirements of the service Contains the information about what needs to be includes, what needs to be signed, what needs to be encrypted, algorithms, etc... © Talend 2011 8
9.
WS-Trust Managing Security Tokens Issue,
Renew, Cancel, Validate Support brokering trust relationships STS Consumer Provider Intermediar y © Talend 2011 9
10.
WS-SecureConversation Attempt to address
the “performance problem” of the WS- Security specifications. XML Signatures and Encryption using strong asymmetric keys is very expensive. WS-SecConv allows for a simpler symmetric key to be used after establishing a “session”. Extends WS-Trust © Talend 2011 10
11.
WS-* Summary Addresses most
of the security problems (performance may be the exception) Very complex Several “Profiles” defined to attempt to clarify and simplify things © Talend 2011 11
12.
Apache CXF –
WS-* Covers the WS-* stuff very well Very well tested Very actively developed Highly interopable High performance (relative) New in 2.5.0 is an Enterprise Ready Security Token Service © Talend 2011 12
13.
REST HTTPS Basic Authentication NTLM/Digest Authentication OAuth Really,
very few “standards” © Talend 2011 13
14.
Apache CXF -
REST JAX-RS OAuth 1.0 Flows XML Message Protection Enveloped Enveloping Detached SAML Auth Header Token in Message Form value © Talend 2011 14
15.
Future Work OAuth 2.0 Single
Sign-On / SAML SAML for Bearer token in OAuth 2.0 flows Performance (Streaming) WS-Federation for SSO Apache Fediz proposal to the Incubator © Talend 2011 15
16.
More Information CXF -
http://cxf.apache.org Distribution contains several security samples Talend – http://talend.com Talend ESB has several code examples, tech notes and webinars covering security topics Blogs – http://coders.talend.com Colm - http://coheigea.blogspot.com/ Glen - http://www.jroller.com/gmazza/ Sergey - http://sberyozkin.blogspot.com/ © Talend 2011 16
17.
Contact
Daniel Kulp dkulp@talend.com http://dankulp.com/blog @DanKulp on Twitter © Talend 2011 17
18.
Thank You © Talend
2011 18
Download now