This document summarizes a round table discussion about securing web services and applications. The group discussed using WS-Security, WS-Trust and WS-Security Policy to implement message-level security including authentication, encryption and signatures. They also talked about enforcing security policies using a message interceptor gateway pattern and validating designs and requests. Finally, the discussion covered securing the front end using OpenID and InfoCards for single sign-on, and giving external users access to web portals and applications in a trusted subsystem.
Leveraging Open Source Integration with WSO2 Enterprise Service BusWSO2
This presentation at the AFITC 2009 (Air Force Information Technology Conference, August 24 - 27, 2009), Montgomery, Alabama by Sumedha Rubasinghe covered how you can deploy enterprise integration faster and easier with the WSO2 ESB.
WSO2 provides a state of the art, standards based, scalable and complete platform solution to the problem of building software in this new environment. As an open source company WSO2 is committed to providing the hooks and openness that allows anyone to insert their own customization and special needs into the platform.
Prezentarea sustinuta de Pawel Glowacki a facut obiectul evenimentului organizat de Softline Romania in calitate de distribuitor si Embarcadero pe data de 5 septembrie la hotelul Howard Johnson din Bucuresti, în cadrul RAD Studio XE5 Tech Preview World Tour.
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
Leveraging Open Source Integration with WSO2 Enterprise Service BusWSO2
This presentation at the AFITC 2009 (Air Force Information Technology Conference, August 24 - 27, 2009), Montgomery, Alabama by Sumedha Rubasinghe covered how you can deploy enterprise integration faster and easier with the WSO2 ESB.
WSO2 provides a state of the art, standards based, scalable and complete platform solution to the problem of building software in this new environment. As an open source company WSO2 is committed to providing the hooks and openness that allows anyone to insert their own customization and special needs into the platform.
Prezentarea sustinuta de Pawel Glowacki a facut obiectul evenimentului organizat de Softline Romania in calitate de distribuitor si Embarcadero pe data de 5 septembrie la hotelul Howard Johnson din Bucuresti, în cadrul RAD Studio XE5 Tech Preview World Tour.
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
State-of-the-Art in Web Services FederationOliver Pfaff
With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!
SSL Implementation - IBM MQ - Secure Communications nishchal29
Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
A presentation about how we can make the Internet hard to monitor - how we can and should encrypt more communication. This version includes a presentation of the TLS protocol.
Changes in 2.2: Added quotes from Viktor Dukhovni's IETF RFC 7435 about Opportunistic Security
White paper - Full SSL automation with OneClickSSLGlobalSign
SSL Automation from application to installation
GlobalSign has designed, developed and patented OneClickSSL™, a revolutionary technology that simplifies the process from SSL application to installation with levels of automation previously considered impossible – eliminating support fees and minimizing time spent supporting customers.
Learn how the OneClickSSL technology works, the deployment options and use cases and how to generate new revenues with OneClickSSL.
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin
• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
Microservices architecture is becoming a prominent design principle and a service development methodology, we have now started to see many microservices in production. Yet, security is a less concerned aspect, most of the time development teams are much focus on edge security but due to distributed and disposable nature of microservices, it's equally important to pay attention to securing service-to-service communication both during the transmission and sharing end-user context among services in order to cover vast attack surface.
Find out how the Xero Cloud Security team deals with the accelerated pace of security brought about by cloud innovation occurring at Xero as they migrate “all-in” into the AWS cloud. Xero will share the Cloud Security team’s journey to the cloud, key success and learning points, as well as how they worked with Bulletproof to implement automated, repeatable and on-demand security with AWS that works at any scale. You will leave this session with actionable real-world knowledge & how to achieve AWS security posture best practices at minimal cost while delivering high value.
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
Abstract
The use of security credentials and the concepts of single-sign-on and \"identity\" will play a big
part in Web Service products as the technology matures and developers start writing true enterprise-
grade line-of-business applications. The emerging XML security standards such as SAML
are reviewed, along with the various \"identity\" standards such as Passport and Liberty, to provide
an overview of the evolution of Web Service platform products to support these. This paper
examines just how \"identity aware\" Web Service implementations need to be, and the value a
Web Services platform can add in masking developers from the complexity in this area. Lessons
are drawn from the experience of using EJB security technology for real-world security scenarios.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
State-of-the-Art in Web Services FederationOliver Pfaff
With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!
SSL Implementation - IBM MQ - Secure Communications nishchal29
Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
A presentation about how we can make the Internet hard to monitor - how we can and should encrypt more communication. This version includes a presentation of the TLS protocol.
Changes in 2.2: Added quotes from Viktor Dukhovni's IETF RFC 7435 about Opportunistic Security
White paper - Full SSL automation with OneClickSSLGlobalSign
SSL Automation from application to installation
GlobalSign has designed, developed and patented OneClickSSL™, a revolutionary technology that simplifies the process from SSL application to installation with levels of automation previously considered impossible – eliminating support fees and minimizing time spent supporting customers.
Learn how the OneClickSSL technology works, the deployment options and use cases and how to generate new revenues with OneClickSSL.
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin
• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
Microservices architecture is becoming a prominent design principle and a service development methodology, we have now started to see many microservices in production. Yet, security is a less concerned aspect, most of the time development teams are much focus on edge security but due to distributed and disposable nature of microservices, it's equally important to pay attention to securing service-to-service communication both during the transmission and sharing end-user context among services in order to cover vast attack surface.
Find out how the Xero Cloud Security team deals with the accelerated pace of security brought about by cloud innovation occurring at Xero as they migrate “all-in” into the AWS cloud. Xero will share the Cloud Security team’s journey to the cloud, key success and learning points, as well as how they worked with Bulletproof to implement automated, repeatable and on-demand security with AWS that works at any scale. You will leave this session with actionable real-world knowledge & how to achieve AWS security posture best practices at minimal cost while delivering high value.
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
Abstract
The use of security credentials and the concepts of single-sign-on and \"identity\" will play a big
part in Web Service products as the technology matures and developers start writing true enterprise-
grade line-of-business applications. The emerging XML security standards such as SAML
are reviewed, along with the various \"identity\" standards such as Passport and Liberty, to provide
an overview of the evolution of Web Service platform products to support these. This paper
examines just how \"identity aware\" Web Service implementations need to be, and the value a
Web Services platform can add in masking developers from the complexity in this area. Lessons
are drawn from the experience of using EJB security technology for real-world security scenarios.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
At its core, the challenge of managing Human Resources data is an integration challenge: estimates range from 2-3 HR systems in use at a typical SMB, up to a few dozen systems implemented amongst enterprise HR departments, and these systems seldom integrate seamlessly between themselves. Providing a multi-tenant, cloud-native solution to integrate these hundreds of HR-related systems, normalize their disparate data models and then render that consolidated information for stakeholder decision making has been a substantial undertaking, but one significantly eased by leveraging Ballerina. In this session, we’ll cover:
The overall software architecture for VHR’s Cloud Data Platform
Critical decision points leading to adoption of Ballerina for the CDP
Ballerina’s role in multiple evolutionary steps to the current architecture
Roadmap for the CDP architecture and plans for Ballerina
WSO2’s partnership in bringing continual success for the CD
The integration landscape is changing rapidly with the introduction of technologies like GraphQL, gRPC, stream processing, iPaaS, and platformless. However, not all existing applications and industries can keep up with these new technologies. Certain industries, like manufacturing, logistics, and finance, still rely on well-established EDI-based message formats. Some applications use XML or CSV with file-based communications, while others have strict on premises deployment requirements. This talk focuses on how Ballerina's built-in integration capabilities can bridge the gap between "old" and "new" technologies, modernizing enterprise applications without disrupting business operations.
Platformless Horizons for Digital AdaptabilityWSO2
In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.
Quantum computers are rapidly evolving and are promising significant advantages in domains like machine learning or optimization, to name but a few areas. In this keynote we sketch the underpinnings of quantum computing, show some of the inherent advantages, highlight some application areas, and show how quantum applications are built.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Climate Impact of Software Testing at Nordic Testing Days
Oscon 2009
1. OSCON July 20 – 24 , 2009 San Jose, California
.
.
The Secured Enterprise:
Leverage OpenID with Web
Services
Prabath Siriwardena
Technical Lead & Product Manager
WSO2
2. WSO2 is an innovative Open Source technology company
devoted to building Web services middleware for your
SOA. Offering leading products, support and other
services, WSO2 was founded in August 2005. It is a
global corporation with offices located in USA, UK
and Sri Lanka.
6. What do we need
to secure…
ROUND TABLE DISCUSSION
7. We have a bunch
of services
already developed
and some under
development….
ROUND TABLE DISCUSSION
8. Yes…. we need to
make sure all the
data transferred
are secured….
ROUND TABLE DISCUSSION
9. How about
securing data
transfer between
service and the
client through
HTTPS….
ROUND TABLE DISCUSSION
10. HTTPS is not
bad.. But still it
has certain
limitations…
ROUND TABLE DISCUSSION
11. Transport level encryption
NOTES…… HTTPS
Point to point
Entire message needs to be encrypted
Adds less weight on message payload
Applies only to HTTP
20. Can we make
sure we
interoperate with
the rest…
ROUND TABLE DISCUSSION
21. Yes… we need not
to re-implement
the wheel… what
is the standard to
achieve C-I-A
with message
ROUND TABLE DISCUSSION
level security…?
22. Defines how to achieve
confidentiality, integrity and
NOTES…… WS-SECURITY
authentication with SOAP messages
Does not define a new security
technology only focuses on
applying existing security
technologies to SOAP messages
23. With UserNameToken
defined in WS-
Security enables us to
authenticate users
with
username/password…
ROUND TABLE DISCUSSION
27. A shared key for both encryption
NOTES…… SHARED KEY
and decryption
Can operate on large plain text
messages
Uses public key encryption to manage
shared key distribution securely
Fast
28. Both the client & the service
NOTES…… KEY WRAPPING
need not to have a certificate
A shared key is derived through
the service’s certificate
Further communication being encrypted
with the derived shared key
41. We need not to authenticate
NOTES…… TRUSTING PARTENERS
individual external users
We only TRUST external partners
All the requests coming through external
users need to be signed by the
corresponding partner companies
Only the requests signed by TRUSTED
partners will let in
42. …also our users
need access to
external systems..
Out of our
domain….
ROUND TABLE DISCUSSION
43. That is exactly
the other side of
what we just
discussed.. We
need to maintain
an internal STS
ROUND TABLE DISCUSSION
44. All the requests going out side from
internal users need to have a security
token issued by the internal STS
NOTES…… STS
Internal users should authenticate them
selves with the internal STS – prior to
obtaining a security token
External services need to trust
our STS
45. WS - Trust
NOTES……
WS - Security
Username X.509
XML XML
Token Token
Signature Encryption
Profile Profile
46. Now… the
question is how
are we going to
communicate our
security
requirements to
ROUND TABLE DISCUSSION
the rest…
47. Let’s first list the
security
requirements…..
ROUND TABLE DISCUSSION
48. Internal users should authenticate with
SECURITY REQUIREMENTS
user name / password when accessing
services directly
49. External users should present a security
SECURITY REQUIREMENTS
token from a trusted STS
50. Email address should be present in the
SECURITY REQUIREMENTS
security token comes with the external
users.
51. Only some parts of the message needs to be
SECURITY REQUIREMENTS
encrypted.
57. Used to express security requirements of
NOTES…… WS-SECURITY POLICY
a Web service according to, What needs to
be protected… What tokens to use…
Algorithms, reference types, etc….
Security policies can be defined at the
binding level / operation level
72. Provides a single entry point and
allows centralization of security
NOTES…… MESSAGE INTERCEPTOR
enforcement for incoming and outgoing
messages.
GATEWAY PATTERN
Helps to apply transport-level and
message-level security mechanisms required
for securely communicating with a Web
services endpoint.
73. NOTES…… MIG - IMPLEMENTATION
All the services can be deployed inside
WSO2 Web Services Application Server
[WSAS] – not publicly accessible
An open source web services engine powered
by Apache Axis2
81. NOTES…… MIG - IMPLEMENTATION
Authentication Module
Authorization Module [PEP]
LDAP
PAP
Service Service Service
STS
A B C
PDP
82. NOTES…… WSO2 IDENTITY SERVER
Claim-based security token service -
mapping user attributes to defined claims,
which can be used to enable identity
federation with claim aware web services.
XACML Policy Administration Point & Policy
Decision Point