Prabath Siriwardena, profile picture
Uploaded byPrabath Siriwardena
PDF, PPTX1,421 views

Web Service Security

This document discusses various patterns for authentication and authorization at the message level for web services. It covers authentication patterns like direct authentication using basic authentication or mutual authentication with OAuth. It also discusses brokered authentication using WS-Trust/STS. For authorization, it discusses direct and delegated authorization patterns. The document then summarizes security solutions like WS-Security, WS-SecureConversation, WS-Trust and security policy standards.

Embed presentation

Download as PDF, PPTX
Prabath  Siriwardena  –  Software  Architect,  WSO2  
Plan for the session Patterns Standards Implementations
Recurring Problems
Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
1995 1997
1999
2004
2005 SAML2 Web SSO
2008/May
Authentication Patterns Direct Brokered Authentication Authentication
Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
2006/April
2006/June
2008/2009
2008/2009
2008/2009
2007/Dec
2007/Dec
Authorization Patterns Direct Delegated Authorization Authorization
Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
2005/Feb
Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
Message  Level   SOAP Security UsernameToken Profile
SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
Message  Level   SOAP Security WS-Trust
Message  Level   SOAP Security Sender Vouches – Subject Confirmation
Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786
Web Service Security

More Related Content

PPTX
WS-Trust
byPrabath Siriwardena
 
PPTX
WS - Security
byPrabath Siriwardena
 
PPTX
WS - SecurityPolicy
byPrabath Siriwardena
 
PPTX
XML Signature
byPrabath Siriwardena
 
PPTX
Web Service Security
byLuqman Shareef
 
POTX
Mastering Modern Authentication and Authorization for SharePoint and Office A...
byEric Shupps
 
PDF
OpenSSO Tech Overview Aquarium
byEduardo Pelegri-Llopart
 
PPT
XML And Web Services Security Standards
byguest68465b
 
WS-Trust
byPrabath Siriwardena
 
WS - Security
byPrabath Siriwardena
 
WS - SecurityPolicy
byPrabath Siriwardena
 
XML Signature
byPrabath Siriwardena
 
Web Service Security
byLuqman Shareef
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
byEric Shupps
 
OpenSSO Tech Overview Aquarium
byEduardo Pelegri-Llopart
 
XML And Web Services Security Standards
byguest68465b
 

Similar to Web Service Security

PDF
Summer School - Security in SOA
byWSO2
 
PDF
The Secured Enterprise: Leverage OpenID with Web Services
byPrabath Siriwardena
 
PDF
Oscon 2009
byWSO2
 
PDF
What is Advanced Web Servicels.pdf
byAngelicaPantaleon3
 
PDF
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
bySunny Sreekanth
 
PDF
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
bySunny Sreekanth
 
PDF
Layer 7: 2010 RSA Presentation on REST and Oauth Security
byCA API Management
 
PDF
20071015 Architecting Enterprise Security
byDavid Chou
 
PDF
Soa Security Testing
byJaipal Naidu
 
PPT
Presentation sso design_security
byMarco Morana
 
PPT
Web services security_in_wse_3_ppt
byHarshavardhan Achrekar
 
PDF
Wcf difference faqs-1
byUmar Ali
 
PDF
Securing Your API
byJason Austin
 
PDF
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
PPTX
Web services security
bynurmeen1
 
PDF
Layer 7: Understanding XML & Web Services Performance
byCA API Management
 
PDF
Identity patterns and anit-patterns in real world web services
byPrabath Siriwardena
 
PDF
Web Service Extensions | Torry Harris Whitepaper
byTorry Harris Business Solutions
 
PPT
P hallam baker_keynote
byshindeshekhar
 
PDF
Toufic Boubez The Future Of S O A Security
bySOA Symposium
 
Summer School - Security in SOA
byWSO2
 
The Secured Enterprise: Leverage OpenID with Web Services
byPrabath Siriwardena
 
Oscon 2009
byWSO2
 
What is Advanced Web Servicels.pdf
byAngelicaPantaleon3
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
bySunny Sreekanth
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
bySunny Sreekanth
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
byCA API Management
 
20071015 Architecting Enterprise Security
byDavid Chou
 
Soa Security Testing
byJaipal Naidu
 
Presentation sso design_security
byMarco Morana
 
Web services security_in_wse_3_ppt
byHarshavardhan Achrekar
 
Wcf difference faqs-1
byUmar Ali
 
Securing Your API
byJason Austin
 
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
Web services security
bynurmeen1
 
Layer 7: Understanding XML & Web Services Performance
byCA API Management
 
Identity patterns and anit-patterns in real world web services
byPrabath Siriwardena
 
Web Service Extensions | Torry Harris Whitepaper
byTorry Harris Business Solutions
 
P hallam baker_keynote
byshindeshekhar
 
Toufic Boubez The Future Of S O A Security
bySOA Symposium
 

More from Prabath Siriwardena

PDF
Microservices Security Landscape
byPrabath Siriwardena
 
PDF
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Identity is Eating the World!
byPrabath Siriwardena
 
PPTX
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PDF
GDPR for Identity Architects
byPrabath Siriwardena
 
PDF
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
PDF
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
PDF
Identity Management for Web Application Developers
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PPTX
API Security : Patterns and Practices
byPrabath Siriwardena
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
PPTX
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
PPTX
The Evolution of Internet Identity
byPrabath Siriwardena
 
PPTX
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
Microservices Security Landscape
byPrabath Siriwardena
 
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Identity is Eating the World!
byPrabath Siriwardena
 
Microservices Security Landscape
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
GDPR for Identity Architects
byPrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
Identity Management for Web Application Developers
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Open Standards in Identity Management
byPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
API Security : Patterns and Practices
byPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
The Evolution of Internet Identity
byPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 

Recently uploaded

PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PPTX
Route_Inspection_Problem_Presentation.pptx
byIqraHanif27
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PDF
apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...
byapidays
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
Route_Inspection_Problem_Presentation.pptx
byIqraHanif27
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...
byapidays
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Information and Communication Technologies and Power
byJeffrey Hart
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 

Web Service Security

  • 1.
    Prabath  Siriwardena  –  Software  Architect,  WSO2  
  • 2.
    Plan for thesession Patterns Standards Implementations
  • 3.
  • 4.
    Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
  • 5.
    1995 1997
  • 7.
  • 8.
  • 9.
    2005 SAML2 Web SSO
  • 10.
  • 11.
    Authentication Patterns Direct Brokered Authentication Authentication
  • 12.
    Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
  • 13.
    Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
  • 14.
    Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
  • 15.
    Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
    Authorization Patterns Direct Delegated Authorization Authorization
  • 25.
    Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
  • 26.
  • 27.
    Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
  • 28.
    Message  Level   SOAP Security UsernameToken Profile
  • 29.
    SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
  • 30.
    Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
  • 31.
    SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
  • 32.
    Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
  • 33.
    Message  Level   SOAP Security WS-Trust
  • 34.
    Message  Level   SOAP Security Sender Vouches – Subject Confirmation
  • 35.
    Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
  • 36.
    SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786