Identity patterns & anti-patterns
   in real world web services




~ By Prabath Siriwardena, WSO2
Proof of identity
Something you know…
Something you have…
Something you are…
Multifactor Authentication
Anyone can access my Service   
WSDL



WSDL


          WSDL
WSDL



WSDL


          WSDL
Transport Level Security
          Vs
 Message Level Security
Transport Level Security
Message Level Security
<wsse:UsernameToken wsu:Id="Example-1">
  <wsse:Username> ... </wsse:Username>
  <wsse:Password Type="..."> ... </wsse:Pas...
BasicAuth with
Transport Level Security
Direct Authentication Pattern



Problem :

How to avoid anonymous users accessing a web
service
Direct Authentication Pattern



Solution :

The web service acts as an authentication
service to validate credentials fro...
Direct Authentication Pattern



Implementation(s) :

UsernameToken with WSSE
BasicAuth with TLS
Exception Shielding Pattern



Problem :

Exception data output by a service
containing implementation details could
compr...
Exception Shielding Pattern



Solution :

Potentially unsafe exception data is
"sanitized" by replacing it with exception...
Users OUT SIDE Our Domain
       Need ACCESS
Direct Authentication
needs us to maintain user
  credentials internally
We don’t have the
credential of external
         users
Direct Authentication
doesn’t solve our problem
Can’t we delegate
Authentication to the
External Domain itself
WS-TRUST
Brokered Authentication Pattern



Problem :

How to avoid anonymous users accessing a web
service and give access to user...
Brokered Authentication Pattern



Solution :

Delegate authentication to a third party who
knows to validate user credent...
Brokered Authentication Pattern



Implementation(s) :

WS-Trust
OpenID, Information Cards, OAuth
How do we know the legitimacy
      of the third party
   Security Token Service ?
Data Origin Authentication Pattern



  Problem :

  How do we prevent an attacker from
  manipulating messages in transit...
Data Origin Authentication Pattern



  Solution :

  Validate message integrity and non-
  repudiation with message signa...
Our services access downstream
      resources with the
authenticated user’s credentials
This could bring security risks –
 and make down stream resources
      vulnerable to attacks
How about controlling user
access to the down stream resources
Service acts as the client –
 with service’s credentials
Trusted Sub System Pattern



Problem :

A consumer that accesses backend resources
of a service directly can compromise t...
Trusted Sub System Pattern



Solution :

The service is designed to use it’s own
credentials for authentication and
autho...
Patterns @ Work…
Message Interceptor Gateway Pattern



  Problem :

  Different services deployed could have
  different security policies...
Message Interceptor Gateway Pattern



  Solution :

  Provides a single entry point and allows
  centralization of securi...
http://blog.facileLogin.com
http://RampartFAQ.com
prabath@apache.org
prabath@wso2.com
Thank You…!!!
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
Upcoming SlideShare
Loading in …5
×

Identity patterns and anit-patterns in real world web services

3,537 views

Published on

Identity patterns and anit-patterns in real world web services @ Apache Asia Roadshow 2009 ~ Colombo

Published in: Technology
  • Be the first to comment

Identity patterns and anit-patterns in real world web services

  1. 1. Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2
  2. 2. Proof of identity
  3. 3. Something you know…
  4. 4. Something you have…
  5. 5. Something you are…
  6. 6. Multifactor Authentication
  7. 7. Anyone can access my Service 
  8. 8. WSDL WSDL WSDL
  9. 9. WSDL WSDL WSDL
  10. 10. Transport Level Security Vs Message Level Security
  11. 11. Transport Level Security
  12. 12. Message Level Security
  13. 13. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  14. 14. BasicAuth with Transport Level Security
  15. 15. Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service
  16. 16. Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.
  17. 17. Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS
  18. 18. Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service
  19. 19. Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers
  20. 20. Users OUT SIDE Our Domain Need ACCESS
  21. 21. Direct Authentication needs us to maintain user credentials internally
  22. 22. We don’t have the credential of external users
  23. 23. Direct Authentication doesn’t solve our problem
  24. 24. Can’t we delegate Authentication to the External Domain itself
  25. 25. WS-TRUST
  26. 26. Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate
  27. 27. Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party
  28. 28. Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth
  29. 29. How do we know the legitimacy of the third party Security Token Service ?
  30. 30. Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.
  31. 31. Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature
  32. 32. Our services access downstream resources with the authenticated user’s credentials
  33. 33. This could bring security risks – and make down stream resources vulnerable to attacks
  34. 34. How about controlling user access to the down stream resources
  35. 35. Service acts as the client – with service’s credentials
  36. 36. Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.
  37. 37. Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers
  38. 38. Patterns @ Work…
  39. 39. Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.
  40. 40. Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.
  41. 41. http://blog.facileLogin.com http://RampartFAQ.com prabath@apache.org prabath@wso2.com
  42. 42. Thank You…!!!

×