Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WSO2 SOA Security

1,897
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,897
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
117
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
  • 2. Securing a Web Service..???
  • 3. People Can SEE What You Send
  • 4. People Can ALTER What You Send
  • 5. People Can ALTER What You Send
  • 6. Anyone Can CALL Your Service
  • 7. People SEE What’s On
  • 8. People Can ALTER What’s On
  • 9. People Can ALTER What’s On
  • 10. HTTP is NOT Secured
  • 11. S HTTP
  • 12. HTTPS is Transport Level
  • 13. Security inherited from the transport channel
  • 14. Safe only while on the transport
  • 15. Parts of the message CANNOT BE encrypted
  • 16. Authenticating with HTTPS ?
  • 17. BasicAuth
  • 18. Mutual Authentication
  • 19. SSL Handshake
  • 20. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  • 21. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  • 22. CERTIFICATE Public Key, Authentication Signature
  • 23. CLIENT_CERT_REQUEST [Optional]
  • 24. CLIENT_CERT [Optional]
  • 25. CLIENT_KEY_EXCHANGE
  • 26. CERTIFICATE_VERIFY [Optional]
  • 27. CHANGE_CIPHER_SPEC
  • 28. FINISHED
  • 29. CHANGE_CIPHER_SPEC
  • 30. FINISHED
  • 31. MONDAY Morning
  • 32. NOT Happy With HTTPS
  • 33. Requires END To END Security
  • 34. Parts of message need to be Encrypted
  • 35. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 36. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 37. Message Level Security
  • 38. XML Encryption
  • 39. XML Signature
  • 40. WS - Security
  • 41. Confidentiality
  • 42. Integrity
  • 43. NON - Repudiation
  • 44. Authentication
  • 45. UsernameToken
  • 46. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  • 47. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  • 48. NOBODY In the Middle Can ALTER the Message
  • 49. Only the Authenticated Users Can Invoke the Service
  • 50. Sign & Encrypt OR Encrypt & Sign
  • 51. Sign & Encrypt MessgaeSignture
  • 52. XML Signature defines THREE types of signatures
  • 53. <Message> <Signature> </Signature> </Message>
  • 54. <Signature> <Message> </Message> </Signature>
  • 55. <Signature> </Signature> <Message> </Message>
  • 56. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  • 57. Sign & Encrypt With WS-Security
  • 58. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  • 59. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  • 60. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 61. Encrypt & Sign MessgaeSignture
  • 62. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  • 63. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 64. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 65. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  • 66. DONE with My First Assignment
  • 67. BUT… Paul NOT Happy 
  • 68. Authentication LIMITED to INTERNAL Users ONLY
  • 69. Users OUT SIDE Our Domain Need ACCESS
  • 70. We DON’T Have Their Credentials
  • 71. We Can’t Use UsernameToken 
  • 72. Delegate Authentication to the External Domain itself
  • 73. They Should Know How to Authenticate Their Own Users
  • 74. We TRUST What the External Domain Says
  • 75. WS-TRUST
  • 76. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  • 77. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  • 78. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  • 79. Another Problem on HAND…
  • 80. How Do We Communicate our Security Requirements to Outsiders ?
  • 81. The Encryption Algorithm We Use…
  • 82. Key Size…
  • 83. Token Types…
  • 84. Elements to be Signed…
  • 85. Elements to be Encrypted…
  • 86. Use Symmetric Key or Asymmetric Key…
  • 87. WS-Security Policy
  • 88. Finally… all on the White Board…
  • 89. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  • 90. Thank You…!!!

×