Your SlideShare is downloading. ×
Identity patterns and anit-patterns in real world web services
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Identity patterns and anit-patterns in real world web services


Published on

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Published in: Technology

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2
  • 2. Proof of identity
  • 3. Something you know…
  • 4. Something you have…
  • 5. Something you are…
  • 6. Multifactor Authentication
  • 7. Anyone can access my Service 
  • 10. Transport Level Security Vs Message Level Security
  • 11. Transport Level Security
  • 12. Message Level Security
  • 13. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  • 14. BasicAuth with Transport Level Security
  • 15. Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service
  • 16. Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.
  • 17. Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS
  • 18. Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service
  • 19. Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers
  • 20. Users OUT SIDE Our Domain Need ACCESS
  • 21. Direct Authentication needs us to maintain user credentials internally
  • 22. We don’t have the credential of external users
  • 23. Direct Authentication doesn’t solve our problem
  • 24. Can’t we delegate Authentication to the External Domain itself
  • 25. WS-TRUST
  • 26. Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate
  • 27. Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party
  • 28. Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth
  • 29. How do we know the legitimacy of the third party Security Token Service ?
  • 30. Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.
  • 31. Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature
  • 32. Our services access downstream resources with the authenticated user’s credentials
  • 33. This could bring security risks – and make down stream resources vulnerable to attacks
  • 34. How about controlling user access to the down stream resources
  • 35. Service acts as the client – with service’s credentials
  • 36. Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.
  • 37. Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers
  • 38. Patterns @ Work…
  • 39. Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.
  • 40. Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.
  • 41.
  • 42. Thank You…!!!