SlideShare a Scribd company logo

Oscon 2009

WSO2
WSO2

This document summarizes a round table discussion about securing web services and applications. The group discussed using WS-Security, WS-Trust and WS-Security Policy to implement message-level security including authentication, encryption and signatures. They also talked about enforcing security policies using a message interceptor gateway pattern and validating designs and requests. Finally, the discussion covered securing the front end using OpenID and InfoCards for single sign-on, and giving external users access to web portals and applications in a trusted subsystem.

TechnologyBusiness
1 of 109
Download to read offline
OSCON July 20 – 24 , 2009 San Jose, California . . The Secured Enterprise: Leverage OpenID with Web Services Prabath Siriwardena Technical Lead & Product Manager WSO2
WSO2 is an innovative Open Source technology company devoted to building Web services middleware for your SOA. Offering leading products, support and other services, WSO2 was founded in August 2005. It is a global corporation with offices located in USA, UK and Sri Lanka.
40,000,000 credit card numbers stolen
Security needs to be by design NOT an after thought
What do we need to secure… ROUND TABLE DISCUSSION
We have a bunch of services already developed and some under development…. ROUND TABLE DISCUSSION
Yes…. we need to make sure all the data transferred are secured…. ROUND TABLE DISCUSSION
How about securing data transfer between service and the client through HTTPS…. ROUND TABLE DISCUSSION
HTTPS is not bad.. But still it has certain limitations… ROUND TABLE DISCUSSION
Transport level encryption NOTES…… HTTPS Point to point Entire message needs to be encrypted Adds less weight on message payload Applies only to HTTP
ROUND TABLE DISCUSSION How about message level security?
End to End NOTES…… MESSAGE LEVEL SECURITY Parts of the message can be encrypted Adds more weight on message payload Transport Independent
Yes – let’s finalize on Message level security…. ROUND TABLE DISCUSSION
How can we use Message Level Security to protect our services… ROUND TABLE DISCUSSION
Confidentiality NOTES…… C-I-A Integrity Authentication
The assurance that a message has NOTES…… CONFIDENTIALITY not been read by anyone other than the intended reader
The assurance that data is complete and accurate NOTES…… INTEGRITY
The verification of a claimed NOTES…… AUTHENTICATION identity
Can we make sure we interoperate with the rest… ROUND TABLE DISCUSSION
Yes… we need not to re-implement the wheel… what is the standard to achieve C-I-A with message ROUND TABLE DISCUSSION level security…?
Defines how to achieve confidentiality, integrity and NOTES…… WS-SECURITY authentication with SOAP messages Does not define a new security technology only focuses on applying existing security technologies to SOAP messages
With UserNameToken defined in WS- Security enables us to authenticate users with username/password… ROUND TABLE DISCUSSION
NOTES…… USERNAMETOKEN <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
WS-Security brings XML Encryption to enable confidentiality in SOAP Messages…. ROUND TABLE DISCUSSION
Shared Key NOTES…… ENCRYPTION Key Wrapping
A shared key for both encryption NOTES…… SHARED KEY and decryption Can operate on large plain text messages Uses public key encryption to manage shared key distribution securely Fast
Both the client & the service NOTES…… KEY WRAPPING need not to have a certificate A shared key is derived through the service’s certificate Further communication being encrypted with the derived shared key
ROUND TABLE DISCUSSION Integrity comes through the XML Signature….
Integrity NOTES…… SIGNATURE Non repudiation
WS - Security NOTES…… XML Username X.509 Token XML Signature Encryption Token Profile Profile
Okay… now all our services are secured with ws- security… What is next? ROUND TABLE DISCUSSION
We need to see who should be given access to our services…. ROUND TABLE DISCUSSION
Definitely all the internal users… ROUND TABLE DISCUSSION
…also some of our partner companies…. ROUND TABLE DISCUSSION
Okay… we can ROUND TABLE DISCUSSION easily authenticate internal users with UserNameToken - since we have their credentials internally….
But we don’t maintain credentials of external users… coming from our partner ROUND TABLE DISCUSSION companies….
ROUND TABLE DISCUSSION We need not to maintain external user credentials… we only need to trust our partners….
ROUND TABLE DISCUSSION …and that is what WS-Trust does….
NOTES…… WS-TRUST
We need not to authenticate NOTES…… TRUSTING PARTENERS individual external users We only TRUST external partners All the requests coming through external users need to be signed by the corresponding partner companies Only the requests signed by TRUSTED partners will let in
…also our users need access to external systems.. Out of our domain…. ROUND TABLE DISCUSSION
That is exactly the other side of what we just discussed.. We need to maintain an internal STS ROUND TABLE DISCUSSION
All the requests going out side from internal users need to have a security token issued by the internal STS NOTES…… STS Internal users should authenticate them selves with the internal STS – prior to obtaining a security token External services need to trust our STS
WS - Trust NOTES…… WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
Now… the question is how are we going to communicate our security requirements to ROUND TABLE DISCUSSION the rest…
Let’s first list the security requirements….. ROUND TABLE DISCUSSION
Internal users should authenticate with SECURITY REQUIREMENTS user name / password when accessing services directly
External users should present a security SECURITY REQUIREMENTS token from a trusted STS
Email address should be present in the SECURITY REQUIREMENTS security token comes with the external users.
Only some parts of the message needs to be SECURITY REQUIREMENTS encrypted.
Encryption algorithm should be AES. SECURITY REQUIREMENTS
Encryption key size needs to be 256. SECURITY REQUIREMENTS
All the parts in the <Body> must be signed SECURITY REQUIREMENTS
We need a way to express all these in a ROUND TABLE DISCUSSION standard way….
Ws-security policy exactly addresses that… ROUND TABLE DISCUSSION
Used to express security requirements of NOTES…… WS-SECURITY POLICY a Web service according to, What needs to be protected… What tokens to use… Algorithms, reference types, etc…. Security policies can be defined at the binding level / operation level
WS - Trust WS- SecurityPo NOTES…… licy WS - Security Username X.509 XML XML WS-Policy Token Token Signature Encryption Profile Profile
Everything looks good…. Is there a way we could make sure we ROUND TABLE DISCUSSION strictly follow the security polices defined…
ROUND TABLE DISCUSSION Okay – that means we need to validate each and every service developed…
Yes – validation needs to happen at two stages… ROUND TABLE DISCUSSION
Design time validations will make sure we adhere to proper standards and ROUND TABLE DISCUSSION polices at the time we develop …
Runtime validations will make sure we evaluate all the requests coming in ROUND TABLE DISCUSSION against the defined security policies….
Design time governance NOTES…… SOA GOVERNANCE Runtime time governance
NOTES…… DESIGN TIME GOVERNANCE
NOTES…… DESIGN TIME GOVERNANCE
NOTES…… DESIGN TIME GOVERNANCE
NOTES…… DESIGN TIME GOVERNANCE MONITORING
ROUND TABLE DISCUSSION Yet… we haven’t figure out how to enforce policies on users – or the requests coming through to our services…
Yes… we need to make sure all the requests comply with the defined security polices…. ROUND TABLE DISCUSSION
NOTES…… MESSAGE INTERCEPTOR GATEWAY PATTERN
Provides a single entry point and allows centralization of security NOTES…… MESSAGE INTERCEPTOR enforcement for incoming and outgoing messages. GATEWAY PATTERN Helps to apply transport-level and message-level security mechanisms required for securely communicating with a Web services endpoint.
NOTES…… MIG - IMPLEMENTATION All the services can be deployed inside WSO2 Web Services Application Server [WSAS] – not publicly accessible An open source web services engine powered by Apache Axis2
NOTES…… MIG - IMPLEMENTATION
NOTES…… MIG - IMPLEMENTATION A Service B Service C Service
NOTES…… MIG - IMPLEMENTATION A Service B Service C Service
NOTES…… MIG - IMPLEMENTATION Authentication Module Authorization Module [PEP] LDAP Service Service Service A B C
NOTES…… WSO2 ESB – SECURING PROXY SERVICES
NOTES…… WSO2 ESB – SECURING PROXY SERVICES
NOTES…… WSO2 ESB – SECURING PROXY SERVICES
NOTES…… MIG - IMPLEMENTATION Authentication Module Authorization Module [PEP] LDAP PAP Service Service Service STS A B C PDP
NOTES…… WSO2 IDENTITY SERVER Claim-based security token service - mapping user attributes to defined claims, which can be used to enable identity federation with claim aware web services. XACML Policy Administration Point & Policy Decision Point
NOTES…… WSO2 IDENTITY SERVER - STS
NOTES…… WSO2 IDENTITY SERVER - STS
NOTES…… WSO2 IDENTITY SERVER – PAP/PDP
NOTES…… WSO2 IDENTITY SERVER – PAP/PDP
NOTES…… WSO2 IDENTITY SERVER PAP PDP STS
WS-Security / WS-Trust / WS-Security Policy NOTES…… SUMMARY Message Interceptor Gateway Pattern WSO2 Governance Registry / WSO2 WSAS / WSO2 ESB / WSO2 Identity Server
We have secured access to all our backend services… ROUND TABLE DISCUSSION
Let’s think of securing the front end…. ROUND TABLE DISCUSSION
ROUND TABLE DISCUSSION Yes… our backend services can be accessed through either with a direct client or with our web portal….
Also we already have different web applications managed internally… ROUND TABLE DISCUSSION
And it’s hard to have different credentials to each web application…. ROUND TABLE DISCUSSION
Let’s redesign authentication for all our web applications…. ROUND TABLE DISCUSSION
ROUND TABLE DISCUSSION One more thing… we also need to give access to external users to the web portal as well…
Too many passwords NOTES…… PROBLEMS TO BE Single Sign On ADDRESSED Giving access to external domain users
Decentralized Single Sign On NOTES…… OPENID Single User Profile Identity Federation
NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
NOTES…… OPENID + INFORMATION CARDS OP
NOTES…… WSO2 IDENTITY SERVER OpenID Provider OP InfoCard Provider
NOTES…… TRUSTED SUB SYSTEM WEB PORTAL
NOTES…… TRUSTED SUB SYSTEM WEB PORTAL OP
WS-Security / WS-Trust / WS-Security Policy NOTES…… SUMMARY Message Interceptor Gateway Pattern WSO2 Governance Registry / WSO2 WSAS / WSO2 ESB / WSO2 Identity Server OpenID + InfoCard Trusted Sub System Pattern
http://wso2.com http://wso2.com/about/contact DISCUSSION…... bizdev@wso2.com prabath@wso2.com
Thank You…!!!

Recommended

Session10part1 Server Intro
Session10part1 Server IntroSession10part1 Server Intro
Session10part1 Server IntroISSGC Summer School
 
Slides
SlidesSlides
SlidesWSO2
 
Leveraging Open Source Integration with WSO2 Enterprise Service Bus
Leveraging Open Source Integration with WSO2 Enterprise Service BusLeveraging Open Source Integration with WSO2 Enterprise Service Bus
Leveraging Open Source Integration with WSO2 Enterprise Service Bus
WSO2
 
Cpp In Soa
Cpp In SoaCpp In Soa
Cpp In SoaWSO2
 
Re-Inventing Enterprise IT Around APIs & Apps
Re-Inventing Enterprise IT Around APIs & AppsRe-Inventing Enterprise IT Around APIs & Apps
Re-Inventing Enterprise IT Around APIs & Apps
WSO2
 
RAD Studio XE5 in Action Tech Preview
RAD Studio XE5 in Action Tech PreviewRAD Studio XE5 in Action Tech Preview
RAD Studio XE5 in Action Tech Preview
Softline
 
WSO2 Gadget Server v1.0 Technical Briefing
WSO2 Gadget Server v1.0 Technical BriefingWSO2 Gadget Server v1.0 Technical Briefing
WSO2 Gadget Server v1.0 Technical Briefing
WSO2
 
2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical UpdateWSO2
 

Recommended

Session10part1 Server Intro
Session10part1 Server IntroSession10part1 Server Intro
Session10part1 Server IntroISSGC Summer School
 
Slides
SlidesSlides
SlidesWSO2
 
Leveraging Open Source Integration with WSO2 Enterprise Service Bus
Leveraging Open Source Integration with WSO2 Enterprise Service BusLeveraging Open Source Integration with WSO2 Enterprise Service Bus
Leveraging Open Source Integration with WSO2 Enterprise Service Bus
WSO2
 
Cpp In Soa
Cpp In SoaCpp In Soa
Cpp In SoaWSO2
 
Re-Inventing Enterprise IT Around APIs & Apps
Re-Inventing Enterprise IT Around APIs & AppsRe-Inventing Enterprise IT Around APIs & Apps
Re-Inventing Enterprise IT Around APIs & Apps
WSO2
 
RAD Studio XE5 in Action Tech Preview
RAD Studio XE5 in Action Tech PreviewRAD Studio XE5 in Action Tech Preview
RAD Studio XE5 in Action Tech Preview
Softline
 
WSO2 Gadget Server v1.0 Technical Briefing
WSO2 Gadget Server v1.0 Technical BriefingWSO2 Gadget Server v1.0 Technical Briefing
WSO2 Gadget Server v1.0 Technical Briefing
WSO2
 
2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical UpdateWSO2
 
Summer School - Security in SOA
Summer School - Security in SOASummer School - Security in SOA
Summer School - Security in SOAWSO2
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
Maarten Mulders
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
AngelicaPantaleon3
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
GlobalSign
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
petarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2
 
WS - Security
WS - SecurityWS - Security
WS - Security
Prabath Siriwardena
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
Michele Orru'
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
Sagara Gunathunga
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
Thuy_Dang
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Jorgen Thelin
 
Jsse
JsseJsse
Jssevantinhkhuc
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 

More Related Content

Similar to Oscon 2009

Summer School - Security in SOA
Summer School - Security in SOASummer School - Security in SOA
Summer School - Security in SOAWSO2
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
Maarten Mulders
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
AngelicaPantaleon3
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
GlobalSign
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
petarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2
 
WS - Security
WS - SecurityWS - Security
WS - Security
Prabath Siriwardena
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
Michele Orru'
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
Sagara Gunathunga
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
Thuy_Dang
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Jorgen Thelin
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 

Similar to Oscon 2009 (20)

Summer School - Security in SOA
Summer School - Security in SOASummer School - Security in SOA
Summer School - Security in SOA
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
WS - Security
WS - SecurityWS - Security
WS - Security
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
 
Jsse
JsseJsse
Jsse
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 

More from WSO2

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
WSO2
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2
 

More from WSO2 (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 

Recently uploaded

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

Oscon 2009

  • 1. OSCON July 20 – 24 , 2009 San Jose, California . . The Secured Enterprise: Leverage OpenID with Web Services Prabath Siriwardena Technical Lead & Product Manager WSO2
  • 2. WSO2 is an innovative Open Source technology company devoted to building Web services middleware for your SOA. Offering leading products, support and other services, WSO2 was founded in August 2005. It is a global corporation with offices located in USA, UK and Sri Lanka.
  • 4.
  • 5. Security needs to be by design NOT an after thought
  • 6. What do we need to secure… ROUND TABLE DISCUSSION
  • 7. We have a bunch of services already developed and some under development…. ROUND TABLE DISCUSSION
  • 8. Yes…. we need to make sure all the data transferred are secured…. ROUND TABLE DISCUSSION
  • 9. How about securing data transfer between service and the client through HTTPS…. ROUND TABLE DISCUSSION
  • 10. HTTPS is not bad.. But still it has certain limitations… ROUND TABLE DISCUSSION
  • 11. Transport level encryption NOTES…… HTTPS Point to point Entire message needs to be encrypted Adds less weight on message payload Applies only to HTTP
  • 12. ROUND TABLE DISCUSSION How about message level security?
  • 13. End to End NOTES…… MESSAGE LEVEL SECURITY Parts of the message can be encrypted Adds more weight on message payload Transport Independent
  • 14. Yes – let’s finalize on Message level security…. ROUND TABLE DISCUSSION
  • 15. How can we use Message Level Security to protect our services… ROUND TABLE DISCUSSION
  • 16. Confidentiality NOTES…… C-I-A Integrity Authentication
  • 17. The assurance that a message has NOTES…… CONFIDENTIALITY not been read by anyone other than the intended reader
  • 18. The assurance that data is complete and accurate NOTES…… INTEGRITY
  • 19. The verification of a claimed NOTES…… AUTHENTICATION identity
  • 20. Can we make sure we interoperate with the rest… ROUND TABLE DISCUSSION
  • 21. Yes… we need not to re-implement the wheel… what is the standard to achieve C-I-A with message ROUND TABLE DISCUSSION level security…?
  • 22. Defines how to achieve confidentiality, integrity and NOTES…… WS-SECURITY authentication with SOAP messages Does not define a new security technology only focuses on applying existing security technologies to SOAP messages
  • 23. With UserNameToken defined in WS- Security enables us to authenticate users with username/password… ROUND TABLE DISCUSSION
  • 24. NOTES…… USERNAMETOKEN <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  • 25. WS-Security brings XML Encryption to enable confidentiality in SOAP Messages…. ROUND TABLE DISCUSSION
  • 27. A shared key for both encryption NOTES…… SHARED KEY and decryption Can operate on large plain text messages Uses public key encryption to manage shared key distribution securely Fast
  • 28. Both the client & the service NOTES…… KEY WRAPPING need not to have a certificate A shared key is derived through the service’s certificate Further communication being encrypted with the derived shared key
  • 29. ROUND TABLE DISCUSSION Integrity comes through the XML Signature….
  • 31. WS - Security NOTES…… XML Username X.509 Token XML Signature Encryption Token Profile Profile
  • 32. Okay… now all our services are secured with ws- security… What is next? ROUND TABLE DISCUSSION
  • 33. We need to see who should be given access to our services…. ROUND TABLE DISCUSSION
  • 34. Definitely all the internal users… ROUND TABLE DISCUSSION
  • 35. …also some of our partner companies…. ROUND TABLE DISCUSSION
  • 36. Okay… we can ROUND TABLE DISCUSSION easily authenticate internal users with UserNameToken - since we have their credentials internally….
  • 37. But we don’t maintain credentials of external users… coming from our partner ROUND TABLE DISCUSSION companies….
  • 38. ROUND TABLE DISCUSSION We need not to maintain external user credentials… we only need to trust our partners….
  • 39. ROUND TABLE DISCUSSION …and that is what WS-Trust does….
  • 41. We need not to authenticate NOTES…… TRUSTING PARTENERS individual external users We only TRUST external partners All the requests coming through external users need to be signed by the corresponding partner companies Only the requests signed by TRUSTED partners will let in
  • 42. …also our users need access to external systems.. Out of our domain…. ROUND TABLE DISCUSSION
  • 43. That is exactly the other side of what we just discussed.. We need to maintain an internal STS ROUND TABLE DISCUSSION
  • 44. All the requests going out side from internal users need to have a security token issued by the internal STS NOTES…… STS Internal users should authenticate them selves with the internal STS – prior to obtaining a security token External services need to trust our STS
  • 45. WS - Trust NOTES…… WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  • 46. Now… the question is how are we going to communicate our security requirements to ROUND TABLE DISCUSSION the rest…
  • 47. Let’s first list the security requirements….. ROUND TABLE DISCUSSION
  • 48. Internal users should authenticate with SECURITY REQUIREMENTS user name / password when accessing services directly
  • 49. External users should present a security SECURITY REQUIREMENTS token from a trusted STS
  • 50. Email address should be present in the SECURITY REQUIREMENTS security token comes with the external users.
  • 51. Only some parts of the message needs to be SECURITY REQUIREMENTS encrypted.
  • 52. Encryption algorithm should be AES. SECURITY REQUIREMENTS
  • 53. Encryption key size needs to be 256. SECURITY REQUIREMENTS
  • 54. All the parts in the <Body> must be signed SECURITY REQUIREMENTS
  • 55. We need a way to express all these in a ROUND TABLE DISCUSSION standard way….
  • 56. Ws-security policy exactly addresses that… ROUND TABLE DISCUSSION
  • 57. Used to express security requirements of NOTES…… WS-SECURITY POLICY a Web service according to, What needs to be protected… What tokens to use… Algorithms, reference types, etc…. Security policies can be defined at the binding level / operation level
  • 58. WS - Trust WS- SecurityPo NOTES…… licy WS - Security Username X.509 XML XML WS-Policy Token Token Signature Encryption Profile Profile
  • 59. Everything looks good…. Is there a way we could make sure we ROUND TABLE DISCUSSION strictly follow the security polices defined…
  • 60. ROUND TABLE DISCUSSION Okay – that means we need to validate each and every service developed…
  • 61. Yes – validation needs to happen at two stages… ROUND TABLE DISCUSSION
  • 62. Design time validations will make sure we adhere to proper standards and ROUND TABLE DISCUSSION polices at the time we develop …
  • 63. Runtime validations will make sure we evaluate all the requests coming in ROUND TABLE DISCUSSION against the defined security policies….
  • 64. Design time governance NOTES…… SOA GOVERNANCE Runtime time governance
  • 68. NOTES…… DESIGN TIME GOVERNANCE MONITORING
  • 69. ROUND TABLE DISCUSSION Yet… we haven’t figure out how to enforce policies on users – or the requests coming through to our services…
  • 70. Yes… we need to make sure all the requests comply with the defined security polices…. ROUND TABLE DISCUSSION
  • 72. Provides a single entry point and allows centralization of security NOTES…… MESSAGE INTERCEPTOR enforcement for incoming and outgoing messages. GATEWAY PATTERN Helps to apply transport-level and message-level security mechanisms required for securely communicating with a Web services endpoint.
  • 73. NOTES…… MIG - IMPLEMENTATION All the services can be deployed inside WSO2 Web Services Application Server [WSAS] – not publicly accessible An open source web services engine powered by Apache Axis2
  • 74. NOTES…… MIG - IMPLEMENTATION
  • 75. NOTES…… MIG - IMPLEMENTATION A Service B Service C Service
  • 76. NOTES…… MIG - IMPLEMENTATION A Service B Service C Service
  • 77. NOTES…… MIG - IMPLEMENTATION Authentication Module Authorization Module [PEP] LDAP Service Service Service A B C
  • 78. NOTES…… WSO2 ESB – SECURING PROXY SERVICES
  • 79. NOTES…… WSO2 ESB – SECURING PROXY SERVICES
  • 80. NOTES…… WSO2 ESB – SECURING PROXY SERVICES
  • 81. NOTES…… MIG - IMPLEMENTATION Authentication Module Authorization Module [PEP] LDAP PAP Service Service Service STS A B C PDP
  • 82. NOTES…… WSO2 IDENTITY SERVER Claim-based security token service - mapping user attributes to defined claims, which can be used to enable identity federation with claim aware web services. XACML Policy Administration Point & Policy Decision Point
  • 85. NOTES…… WSO2 IDENTITY SERVER – PAP/PDP
  • 86. NOTES…… WSO2 IDENTITY SERVER – PAP/PDP
  • 87. NOTES…… WSO2 IDENTITY SERVER PAP PDP STS
  • 88. WS-Security / WS-Trust / WS-Security Policy NOTES…… SUMMARY Message Interceptor Gateway Pattern WSO2 Governance Registry / WSO2 WSAS / WSO2 ESB / WSO2 Identity Server
  • 89. We have secured access to all our backend services… ROUND TABLE DISCUSSION
  • 90. Let’s think of securing the front end…. ROUND TABLE DISCUSSION
  • 91. ROUND TABLE DISCUSSION Yes… our backend services can be accessed through either with a direct client or with our web portal….
  • 92. Also we already have different web applications managed internally… ROUND TABLE DISCUSSION
  • 93. And it’s hard to have different credentials to each web application…. ROUND TABLE DISCUSSION
  • 94. Let’s redesign authentication for all our web applications…. ROUND TABLE DISCUSSION
  • 95. ROUND TABLE DISCUSSION One more thing… we also need to give access to external users to the web portal as well…
  • 96. Too many passwords NOTES…… PROBLEMS TO BE Single Sign On ADDRESSED Giving access to external domain users
  • 97. Decentralized Single Sign On NOTES…… OPENID Single User Profile Identity Federation
  • 98. NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
  • 99. NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
  • 100. NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
  • 101. NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
  • 102. NOTES…… OPENID LOGIN FOR WEB PORTAL BROWSER OP WEB PORTAL
  • 103. NOTES…… OPENID + INFORMATION CARDS OP
  • 104. NOTES…… WSO2 IDENTITY SERVER OpenID Provider OP InfoCard Provider
  • 105. NOTES…… TRUSTED SUB SYSTEM WEB PORTAL
  • 106. NOTES…… TRUSTED SUB SYSTEM WEB PORTAL OP
  • 107. WS-Security / WS-Trust / WS-Security Policy NOTES…… SUMMARY Message Interceptor Gateway Pattern WSO2 Governance Registry / WSO2 WSAS / WSO2 ESB / WSO2 Identity Server OpenID + InfoCard Trusted Sub System Pattern
  • 108. http://wso2.com http://wso2.com/about/contact DISCUSSION…... bizdev@wso2.com prabath@wso2.com