• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Identity patterns and anit-patterns in real world web services
 

Identity patterns and anit-patterns in real world web services

on

  • 4,163 views

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Statistics

Views

Total Views
4,163
Views on SlideShare
3,813
Embed Views
350

Actions

Likes
2
Downloads
75
Comments
0

3 Embeds 350

http://blog.facilelogin.com 233
http://blog.thilinamb.com 96
http://www.slideshare.net 21

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Identity patterns and anit-patterns in real world web services Identity patterns and anit-patterns in real world web services Presentation Transcript

    • Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2
    • Proof of identity
    • Something you know…
    • Something you have…
    • Something you are…
    • Multifactor Authentication
    • Anyone can access my Service 
    • WSDL WSDL WSDL
    • WSDL WSDL WSDL
    • Transport Level Security Vs Message Level Security
    • Transport Level Security
    • Message Level Security
    • <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
    • BasicAuth with Transport Level Security
    • Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service
    • Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.
    • Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS
    • Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service
    • Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers
    • Users OUT SIDE Our Domain Need ACCESS
    • Direct Authentication needs us to maintain user credentials internally
    • We don’t have the credential of external users
    • Direct Authentication doesn’t solve our problem
    • Can’t we delegate Authentication to the External Domain itself
    • WS-TRUST
    • Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate
    • Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party
    • Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth
    • How do we know the legitimacy of the third party Security Token Service ?
    • Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.
    • Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature
    • Our services access downstream resources with the authenticated user’s credentials
    • This could bring security risks – and make down stream resources vulnerable to attacks
    • How about controlling user access to the down stream resources
    • Service acts as the client – with service’s credentials
    • Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.
    • Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers
    • Patterns @ Work…
    • Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.
    • Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.
    • http://blog.facileLogin.com http://RampartFAQ.com prabath@apache.org prabath@wso2.com
    • Thank You…!!!