This document discusses security problems and solutions for service oriented applications. It covers SOA security concerns, types of security problems, WS-* specifications that address issues like authentication, authorization, and message protection. It also discusses REST security, Apache CXF implementations, and thoughts for future work, including OAuth 2.0 and SAML integration. The presenter is Daniel Kulp from Talend and provides contact information.

1. Security Problems (and Solutions)
for Service Oriented Applications
Daniel Kulp, Talend
dkulp@talend.com
© Talend 2011 1

2. My Background
J. Daniel Kulp
Talend
VP - OpenSource Development
ASF Member
PMC for CXF, Camel, WebService, Maven, Aries.
Committer for ServiceMix
© Talend 2011 2

3. What I Will Cover
SOA Security Concerns
Types of Security Problems
WS-* Solutions
REST Solutions
Apache CXF extensions
Thoughts for the future
© Talend 2011 3

4. SOA Security Concerns
Collection of Services that make up a complex application
that solves complex problems.
Primarily Web Services
NOT just SOAP
Includes REST
Can include other technologies like CORBA, JMS, etc...
© Talend 2011 4

5. Security Problems
Authentication
Authorization
Message Protection
Data encryption
Signatures
Intermediaries
Security Tokens
Performance
© Talend 2011 5

6. WS-* Solutions
“Well Defined” (OK: overly complex) specifications
WS-Security
WS-SecureConversation
WS-SecurityPolicy
WS-Trust
Etc....
© Talend 2011 6

7. WS-Security
How to sign SOAP messages to assure integrity.(based on
XMLDsig)
How to encrypt SOAP messages to assure confidentiality.
(based on XML-Enc)
How to attach security tokens to ascertain the sender's
identity.
X.509, Kerberos, UserNameToken, SAML
© Talend 2011 7

8. WS-SecurityPolicy
Tries to address the “contract” of the Security
requirements
XML based WS-Policy fragments that describe the Security
requirements of the service
Contains the information about what needs to be
includes, what needs to be signed, what needs to be
encrypted, algorithms, etc...
© Talend 2011 8

9. WS-Trust
Managing Security Tokens
Issue, Renew, Cancel, Validate
Support brokering trust relationships
STS
Consumer Provider
Intermediar
y
© Talend 2011 9

10. WS-SecureConversation
Attempt to address the “performance problem” of the WS-
Security specifications.
XML Signatures and Encryption using strong asymmetric keys is
very expensive. WS-SecConv allows for a simpler symmetric
key to be used after establishing a “session”.
Extends WS-Trust
© Talend 2011 10

11. WS-* Summary
Addresses most of the security problems (performance may be
the exception)
Very complex
Several “Profiles” defined to attempt to clarify and simplify
things
© Talend 2011 11

12. Apache CXF – WS-*
Covers the WS-* stuff very well
Very well tested
Very actively developed
Highly interopable
High performance (relative)
New in 2.5.0 is an Enterprise Ready Security Token Service
© Talend 2011 12

13. REST
HTTPS
Basic Authentication
NTLM/Digest Authentication
OAuth
Really, very few “standards”
© Talend 2011 13

14. Apache CXF - REST
JAX-RS
OAuth 1.0 Flows
XML Message Protection
Enveloped
Enveloping
Detached
SAML
Auth Header
Token in Message
Form value
© Talend 2011 14

15. Future Work
OAuth 2.0
Single Sign-On / SAML
SAML for Bearer token in OAuth 2.0 flows
Performance (Streaming)
WS-Federation for SSO
Apache Fediz proposal to the Incubator
© Talend 2011 15

16. More Information
CXF - http://cxf.apache.org
Distribution contains several security samples
Talend – http://talend.com
Talend ESB has several code examples, tech notes and webinars
covering security topics
Blogs – http://coders.talend.com
Colm - http://coheigea.blogspot.com/
Glen - http://www.jroller.com/gmazza/
Sergey - http://sberyozkin.blogspot.com/
© Talend 2011 16

17. Contact
Daniel Kulp
dkulp@talend.com
http://dankulp.com/blog
@DanKulp on Twitter
© Talend 2011 17

18. Thank You
© Talend 2011 18