Identity patterns and anit-patterns in real world web services


Published on

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identity patterns and anit-patterns in real world web services

  1. 1. Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2
  2. 2. Proof of identity
  3. 3. Something you know…
  4. 4. Something you have…
  5. 5. Something you are…
  6. 6. Multifactor Authentication
  7. 7. Anyone can access my Service 
  10. 10. Transport Level Security Vs Message Level Security
  11. 11. Transport Level Security
  12. 12. Message Level Security
  13. 13. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  14. 14. BasicAuth with Transport Level Security
  15. 15. Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service
  16. 16. Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.
  17. 17. Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS
  18. 18. Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service
  19. 19. Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers
  20. 20. Users OUT SIDE Our Domain Need ACCESS
  21. 21. Direct Authentication needs us to maintain user credentials internally
  22. 22. We don’t have the credential of external users
  23. 23. Direct Authentication doesn’t solve our problem
  24. 24. Can’t we delegate Authentication to the External Domain itself
  25. 25. WS-TRUST
  26. 26. Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate
  27. 27. Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party
  28. 28. Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth
  29. 29. How do we know the legitimacy of the third party Security Token Service ?
  30. 30. Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.
  31. 31. Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature
  32. 32. Our services access downstream resources with the authenticated user’s credentials
  33. 33. This could bring security risks – and make down stream resources vulnerable to attacks
  34. 34. How about controlling user access to the down stream resources
  35. 35. Service acts as the client – with service’s credentials
  36. 36. Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.
  37. 37. Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers
  38. 38. Patterns @ Work…
  39. 39. Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.
  40. 40. Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.
  41. 41.
  42. 42. Thank You…!!!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.