Web Service Security

1,841 views

Published on

@ApacheCon 2011

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,841
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
68
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Web Service Security

  1. 1. Prabath  Siriwardena  –  Software  Architect,  WSO2  
  2. 2. Plan for the sessionPatterns Standards Implementations
  3. 3. Recurring Problems
  4. 4. PatternsAuthentication Confidentiality Authorization Patterns Patterns Patterns
  5. 5. 1995 1997
  6. 6. 1999
  7. 7. 2004
  8. 8. 2005 SAML2 Web SSO
  9. 9. 2008/May
  10. 10. Authentication Patterns Direct BrokeredAuthentication Authentication
  11. 11. Direct Authentication for Web ServicesTransport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
  12. 12. Direct Authentication for Web ServicesMessage  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
  13. 13. Brokered Authentication for Web ServicesTransport  Level   Mutual Authentication 2-legged OAuth
  14. 14. Brokered Authentication for Web ServicesMessage  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
  15. 15. 2006/April
  16. 16. 2006/June
  17. 17. 2008/2009
  18. 18. 2008/2009
  19. 19. 2008/2009
  20. 20. 2007/Dec
  21. 21. 2007/Dec
  22. 22. Authorization Patterns Direct DelegatedAuthorization Authorization
  23. 23. Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct DelegatedAuthorization Authorization
  24. 24. 2005/Feb
  25. 25. Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
  26. 26. Message  Level   SOAP Security UsernameToken Profile
  27. 27. SOAP Security Key  Identifiers  Message  Level   X.509 Token Profile & Key Referencing Direct  References  
  28. 28. Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
  29. 29. SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on  Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
  30. 30. Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
  31. 31. Message  Level   SOAP Security WS-Trust
  32. 32. Message  Level   SOAP Security Sender Vouches – Subject Confirmation
  33. 33. Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
  34. 34. SOAP Security WS – Security Policyhttp://wso2.org/library/3132http://wso2.org/library/3786

×