SOA security needs to be by design, not as an afterthought. This session will demonstrate implementing Message Interceptor Gateway security pattern with WSO2 ESB, WSO2 WSAS and WSO2 Identity Server – together with the OpenID/Information Cards integration pattern at the front end. The Message Interceptor Gateway pattern provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages. Further, this session explores adding authentication and fine grained authorization for web services.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
The Secured Enterprise: Leverage OpenID with Web Services
1. OSCON July 20 – 24 , 2009 San Jose, California
.
.
The Secured Enterprise:
Leverage OpenID with Web
Services
Prabath Siriwardena
Technical Lead & Product Manager
WSO2
2. WSO2 is an innovative Open Source technology company
devoted to building Web services middleware for your
SOA. Offering leading products, support and other
services, WSO2 was founded in August 2005. It is a
global corporation with offices located in USA, UK
and Sri Lanka.
6. What do we need
to secure…
ROUND TABLE DISCUSSION
7. We have a bunch
of services
already developed
and some under
development….
ROUND TABLE DISCUSSION
8. Yes…. we need to
make sure all the
data transferred
are secured….
ROUND TABLE DISCUSSION
9. How about
securing data
transfer between
service and the
client through
HTTPS….
ROUND TABLE DISCUSSION
10. HTTPS is not
bad.. But still it
has certain
limitations…
ROUND TABLE DISCUSSION
11. Transport level encryption
NOTES…… HTTPS
Point to point
Entire message needs to be encrypted
Adds less weight on message payload
Applies only to HTTP
20. Can we make
sure we
interoperate with
the rest…
ROUND TABLE DISCUSSION
21. Yes… we need not
to re-implement
the wheel… what
is the standard to
achieve C-I-A
with message
ROUND TABLE DISCUSSION
level security…?
22. Defines how to achieve
confidentiality, integrity and
NOTES…… WS-SECURITY
authentication with SOAP messages
Does not define a new security
technology only focuses on
applying existing security
technologies to SOAP messages
23. With UserNameToken
defined in WS-
Security enables us to
authenticate users
with
username/password…
ROUND TABLE DISCUSSION
27. A shared key for both encryption
NOTES…… SHARED KEY
and decryption
Can operate on large plain text
messages
Uses public key encryption to manage
shared key distribution securely
Fast
28. Both the client & the service
NOTES…… KEY WRAPPING
need not to have a certificate
A shared key is derived through
the service’s certificate
Further communication being encrypted
with the derived shared key
41. We need not to authenticate
NOTES…… TRUSTING PARTENERS
individual external users
We only TRUST external partners
All the requests coming through external
users need to be signed by the
corresponding partner companies
Only the requests signed by TRUSTED
partners will let in
42. …also our users
need access to
external systems..
Out of our
domain….
ROUND TABLE DISCUSSION
43. That is exactly
the other side of
what we just
discussed.. We
need to maintain
an internal STS
ROUND TABLE DISCUSSION
44. All the requests going out side from
internal users need to have a security
token issued by the internal STS
NOTES…… STS
Internal users should authenticate them
selves with the internal STS – prior to
obtaining a security token
External services need to trust
our STS
45. WS - Trust
NOTES……
WS - Security
Username X.509
XML XML
Token Token
Signature Encryption
Profile Profile
46. Now… the
question is how
are we going to
communicate our
security
requirements to
ROUND TABLE DISCUSSION
the rest…
47. Let’s first list the
security
requirements…..
ROUND TABLE DISCUSSION
48. Internal users should authenticate with
SECURITY REQUIREMENTS
user name / password when accessing
services directly
49. External users should present a security
SECURITY REQUIREMENTS
token from a trusted STS
50. Email address should be present in the
SECURITY REQUIREMENTS
security token comes with the external
users.
51. Only some parts of the message needs to be
SECURITY REQUIREMENTS
encrypted.
57. Used to express security requirements of
NOTES…… WS-SECURITY POLICY
a Web service according to, What needs to
be protected… What tokens to use…
Algorithms, reference types, etc….
Security policies can be defined at the
binding level / operation level
72. Provides a single entry point and
allows centralization of security
NOTES…… MESSAGE INTERCEPTOR
enforcement for incoming and outgoing
messages.
GATEWAY PATTERN
Helps to apply transport-level and
message-level security mechanisms required
for securely communicating with a Web
services endpoint.
73. NOTES…… MIG - IMPLEMENTATION
All the services can be deployed inside
WSO2 Web Services Application Server
[WSAS] – not publicly accessible
An open source web services engine powered
by Apache Axis2
81. NOTES…… MIG - IMPLEMENTATION
Authentication Module
Authorization Module [PEP]
LDAP
PAP
Service Service Service
STS
A B C
PDP
82. NOTES…… WSO2 IDENTITY SERVER
Claim-based security token service -
mapping user attributes to defined claims,
which can be used to enable identity
federation with claim aware web services.
XACML Policy Administration Point & Policy
Decision Point