SlideShare a Scribd company logo

Apache CXF Security Solutions

Download as ODP, PDF
Daniel Kulp
Daniel Kulp

Presentation from ApacheCon NA 2011

TechnologyBusiness
1 of 18
Security Problems (and Solutions) for Service Oriented Applications Daniel Kulp, Talend dkulp@talend.com © Talend 2011 1
My Background J. Daniel Kulp Talend VP - OpenSource Development ASF Member PMC for CXF, Camel, WebService, Maven, Aries. Committer for ServiceMix © Talend 2011 2
What I Will Cover SOA Security Concerns Types of Security Problems WS-* Solutions REST Solutions Apache CXF extensions Thoughts for the future © Talend 2011 3
SOA Security Concerns Collection of Services that make up a complex application that solves complex problems. Primarily Web Services NOT just SOAP Includes REST Can include other technologies like CORBA, JMS, etc... © Talend 2011 4
Security Problems Authentication Authorization Message Protection Data encryption Signatures Intermediaries Security Tokens Performance © Talend 2011 5
WS-* Solutions “Well Defined” (OK: overly complex) specifications WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust Etc.... © Talend 2011 6
WS-Security How to sign SOAP messages to assure integrity.(based on XMLDsig) How to encrypt SOAP messages to assure confidentiality. (based on XML-Enc) How to attach security tokens to ascertain the sender's identity. X.509, Kerberos, UserNameToken, SAML © Talend 2011 7
WS-SecurityPolicy Tries to address the “contract” of the Security requirements XML based WS-Policy fragments that describe the Security requirements of the service Contains the information about what needs to be includes, what needs to be signed, what needs to be encrypted, algorithms, etc... © Talend 2011 8
WS-Trust Managing Security Tokens Issue, Renew, Cancel, Validate Support brokering trust relationships STS Consumer Provider Intermediar y © Talend 2011 9
WS-SecureConversation Attempt to address the “performance problem” of the WS- Security specifications. XML Signatures and Encryption using strong asymmetric keys is very expensive. WS-SecConv allows for a simpler symmetric key to be used after establishing a “session”. Extends WS-Trust © Talend 2011 10
WS-* Summary Addresses most of the security problems (performance may be the exception) Very complex Several “Profiles” defined to attempt to clarify and simplify things © Talend 2011 11
Apache CXF – WS-* Covers the WS-* stuff very well Very well tested Very actively developed Highly interopable High performance (relative) New in 2.5.0 is an Enterprise Ready Security Token Service © Talend 2011 12
REST HTTPS Basic Authentication NTLM/Digest Authentication OAuth Really, very few “standards” © Talend 2011 13
Apache CXF - REST JAX-RS OAuth 1.0 Flows XML Message Protection Enveloped Enveloping Detached SAML Auth Header Token in Message Form value © Talend 2011 14
Future Work OAuth 2.0 Single Sign-On / SAML SAML for Bearer token in OAuth 2.0 flows Performance (Streaming) WS-Federation for SSO Apache Fediz proposal to the Incubator © Talend 2011 15
More Information CXF - http://cxf.apache.org Distribution contains several security samples Talend – http://talend.com Talend ESB has several code examples, tech notes and webinars covering security topics Blogs – http://coders.talend.com Colm - http://coheigea.blogspot.com/ Glen - http://www.jroller.com/gmazza/ Sergey - http://sberyozkin.blogspot.com/ © Talend 2011 16
Contact Daniel Kulp dkulp@talend.com http://dankulp.com/blog @DanKulp on Twitter © Talend 2011 17
Thank You © Talend 2011 18

Recommended

CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?Daniel Kulp
 
Apache CXF - New Features
Apache CXF - New FeaturesApache CXF - New Features
Apache CXF - New FeaturesDaniel Kulp
 
Apache CXF New Directions in Integration
Apache CXF New Directions in IntegrationApache CXF New Directions in Integration
Apache CXF New Directions in IntegrationDaniel Kulp
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Owin and katana
Owin and katanaOwin and katana
Owin and katanaUdaiappa Ramachandran
 
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration CapabilitiesWSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration CapabilitiesWSO2
 
Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to applicationdamian-h
 
OWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIISOWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIISBilal Haidar
 

Recommended

CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?Daniel Kulp
 
Apache CXF - New Features
Apache CXF - New FeaturesApache CXF - New Features
Apache CXF - New FeaturesDaniel Kulp
 
Apache CXF New Directions in Integration
Apache CXF New Directions in IntegrationApache CXF New Directions in Integration
Apache CXF New Directions in IntegrationDaniel Kulp
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Owin and katana
Owin and katanaOwin and katana
Owin and katanaUdaiappa Ramachandran
 
WSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration CapabilitiesWSO2 ESB - The Fastest Open Source ESB with Superior Integration Capabilities
WSO2 ESB - The Fastest Open Source ESB with Superior Integration CapabilitiesWSO2
 
Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to applicationdamian-h
 
OWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIISOWIN and Katana Project - Not Only IIS - NoIIS
OWIN and Katana Project - Not Only IIS - NoIISBilal Haidar
 
Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow WSO2
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
ASP.NET: Present and future
ASP.NET: Present and futureASP.NET: Present and future
ASP.NET: Present and futureHrvoje Hudoletnjak
 
Spring basics for freshers
Spring basics for freshersSpring basics for freshers
Spring basics for freshersSwati Bansal
 
Introduction to OWIN
Introduction to OWINIntroduction to OWIN
Introduction to OWINSaran Doraiswamy
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Wso2 tutorial
Wso2 tutorialWso2 tutorial
Wso2 tutorialArmando Ramirez Vila
 
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite CustomersRunning SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite CustomersSimon Haslam
 
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)Folio3 Software
 
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud ServiceTips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud ServiceSimon Haslam
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the CloudSOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the CloudSimon Haslam
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLREduardo Piairo
 
O que é esse tal de OWIN?
O que é esse tal de OWIN?O que é esse tal de OWIN?
O que é esse tal de OWIN?Andre Carlucci
 
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB WSO2
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
MySQL 5.7 + Java
MySQL 5.7 + JavaMySQL 5.7 + Java
MySQL 5.7 + JavaMark Swarbrick
 
CLR Stored Procedures
CLR Stored ProceduresCLR Stored Procedures
CLR Stored ProceduresHarshana Weerasinghe
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web ServicesJorgen Thelin
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresPraetorian
 

More Related Content

What's hot

Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow WSO2
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Spring basics for freshers
Spring basics for freshersSpring basics for freshers
Spring basics for freshersSwati Bansal
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite CustomersRunning SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite CustomersSimon Haslam
 
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)Folio3 Software
 
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud ServiceTips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud ServiceSimon Haslam
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IISsanya6900
 
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the CloudSOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the CloudSimon Haslam
 
O que é esse tal de OWIN?
O que é esse tal de OWIN?O que é esse tal de OWIN?
O que é esse tal de OWIN?Andre Carlucci
 
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB WSO2
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 

What's hot (20)

Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow Introduction to ESB Architecture and Message Flow
Introduction to ESB Architecture and Message Flow
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
ASP.NET: Present and future
ASP.NET: Present and futureASP.NET: Present and future
ASP.NET: Present and future
 
Spring basics for freshers
Spring basics for freshersSpring basics for freshers
Spring basics for freshers
 
Introduction to OWIN
Introduction to OWINIntroduction to OWIN
Introduction to OWIN
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 
Wso2 tutorial
Wso2 tutorialWso2 tutorial
Wso2 tutorial
 
Running SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite CustomersRunning SOA in the Cloud: SOA CS for SOA Suite Customers
Running SOA in the Cloud: SOA CS for SOA Suite Customers
 
OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)OWIN (Open Web Interface for .NET)
OWIN (Open Web Interface for .NET)
 
Tips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud ServiceTips & Tricks for Java & SOA Cloud Service
Tips & Tricks for Java & SOA Cloud Service
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
SOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the CloudSOA & WebLogic - Lift & Shift to the Cloud
SOA & WebLogic - Lift & Shift to the Cloud
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
O que é esse tal de OWIN?
O que é esse tal de OWIN?O que é esse tal de OWIN?
O que é esse tal de OWIN?
 
Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB Restful Integration with WSO2 ESB
Restful Integration with WSO2 ESB
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
MySQL 5.7 + Java
MySQL 5.7 + JavaMySQL 5.7 + Java
MySQL 5.7 + Java
 
CLR Stored Procedures
CLR Stored ProceduresCLR Stored Procedures
CLR Stored Procedures
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 

Similar to Apache CXF Security Solutions

Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web ServicesJorgen Thelin
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresPraetorian
 
Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA ijsc
 
Designing a logical security framework
Designing a logical security frameworkDesigning a logical security framework
Designing a logical security frameworkijsc
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Luc Wijns
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Storyukdpe
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soajucaab
 
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecurityToufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecuritySOA Symposium
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa DnugService Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa DnugJason Townsend, MBA
 
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase
 
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)chhoup
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Jorgen Thelin
 
What is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed SystemsWhat is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed SystemsSchalk Cronjé
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloudPresentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloudxKinAnx
 
Presentation cyber defense for soa & rest
Presentation cyber defense for soa & restPresentation cyber defense for soa & rest
Presentation cyber defense for soa & restxKinAnx
 

Similar to Apache CXF Security Solutions (20)

Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web Services
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA Designing A Logical Security Framework for E-Commerce System Based on SOA
Designing A Logical Security Framework for E-Commerce System Based on SOA
 
Designing a logical security framework
Designing a logical security frameworkDesigning a logical security framework
Designing a logical security framework
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Story
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
 
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecurityToufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A Security
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa DnugService Oriented Development With Windows Communication Foundation Tulsa Dnug
Service Oriented Development With Windows Communication Foundation Tulsa Dnug
 
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server Brochure
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
 
What is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed SystemsWhat is in a Good Contract? Designing Interfaces for Distributed Systems
What is in a Good Contract? Designing Interfaces for Distributed Systems
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloudPresentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
 
Presentation cyber defense for soa & rest
Presentation cyber defense for soa & restPresentation cyber defense for soa & rest
Presentation cyber defense for soa & rest
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Apache CXF Security Solutions

  • 1. Security Problems (and Solutions) for Service Oriented Applications Daniel Kulp, Talend dkulp@talend.com © Talend 2011 1
  • 2. My Background J. Daniel Kulp Talend VP - OpenSource Development ASF Member PMC for CXF, Camel, WebService, Maven, Aries. Committer for ServiceMix © Talend 2011 2
  • 3. What I Will Cover SOA Security Concerns Types of Security Problems WS-* Solutions REST Solutions Apache CXF extensions Thoughts for the future © Talend 2011 3
  • 4. SOA Security Concerns Collection of Services that make up a complex application that solves complex problems. Primarily Web Services NOT just SOAP Includes REST Can include other technologies like CORBA, JMS, etc... © Talend 2011 4
  • 5. Security Problems Authentication Authorization Message Protection Data encryption Signatures Intermediaries Security Tokens Performance © Talend 2011 5
  • 6. WS-* Solutions “Well Defined” (OK: overly complex) specifications WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust Etc.... © Talend 2011 6
  • 7. WS-Security How to sign SOAP messages to assure integrity.(based on XMLDsig) How to encrypt SOAP messages to assure confidentiality. (based on XML-Enc) How to attach security tokens to ascertain the sender's identity. X.509, Kerberos, UserNameToken, SAML © Talend 2011 7
  • 8. WS-SecurityPolicy Tries to address the “contract” of the Security requirements XML based WS-Policy fragments that describe the Security requirements of the service Contains the information about what needs to be includes, what needs to be signed, what needs to be encrypted, algorithms, etc... © Talend 2011 8
  • 9. WS-Trust Managing Security Tokens Issue, Renew, Cancel, Validate Support brokering trust relationships STS Consumer Provider Intermediar y © Talend 2011 9
  • 10. WS-SecureConversation Attempt to address the “performance problem” of the WS- Security specifications. XML Signatures and Encryption using strong asymmetric keys is very expensive. WS-SecConv allows for a simpler symmetric key to be used after establishing a “session”. Extends WS-Trust © Talend 2011 10
  • 11. WS-* Summary Addresses most of the security problems (performance may be the exception) Very complex Several “Profiles” defined to attempt to clarify and simplify things © Talend 2011 11
  • 12. Apache CXF – WS-* Covers the WS-* stuff very well Very well tested Very actively developed Highly interopable High performance (relative) New in 2.5.0 is an Enterprise Ready Security Token Service © Talend 2011 12
  • 14. Apache CXF - REST JAX-RS OAuth 1.0 Flows XML Message Protection Enveloped Enveloping Detached SAML Auth Header Token in Message Form value © Talend 2011 14
  • 15. Future Work OAuth 2.0 Single Sign-On / SAML SAML for Bearer token in OAuth 2.0 flows Performance (Streaming) WS-Federation for SSO Apache Fediz proposal to the Incubator © Talend 2011 15
  • 16. More Information CXF - http://cxf.apache.org Distribution contains several security samples Talend – http://talend.com Talend ESB has several code examples, tech notes and webinars covering security topics Blogs – http://coders.talend.com Colm - http://coheigea.blogspot.com/ Glen - http://www.jroller.com/gmazza/ Sergey - http://sberyozkin.blogspot.com/ © Talend 2011 16
  • 17. Contact Daniel Kulp dkulp@talend.com http://dankulp.com/blog @DanKulp on Twitter © Talend 2011 17