Prabath Siriwardena, profile picture
Uploaded byPrabath Siriwardena
PPTX, PDF4,325 views

WS - SecurityPolicy

This document provides an overview of WS-Security Policy, which defines a framework for expressing security requirements for web services using policies. It discusses how WS-Security Policy builds on WS-Policy to allow endpoints to express security requirements through policy assertions. These include protection assertions to specify signed or encrypted parts, token assertions to specify required token types, and binding assertions to define how messages are secured. The document also covers how policies can be associated with WSDL definitions and how policy compatibility and intersections are defined.

Embed presentation

Downloaded 103 times
WS – Security Policy Prabath Siriwardena Director, Security Architecture
Why we need a policy ? • How come users get to know the security requirements of your web service? • Web service may need client to authenticate • Web service may need client to sign all his requests • Client may need some part of the response from the service to be encrypted • Client need the service to sign the entire response first and then encrypts
WS-Policy • General framework for endpoints to express requirements. • NOT just for security requirements • Requirements are expressed in terms of a „Policy‟ • WS-Policy is a set of specifications providing a generalized mechanism for describing policy in a machine readable way.
WS-Policy & WSDL • WSDL focuses on function descriptions • Non-functional descriptions and QoS aspects are covered by WS-Policy • Web services clients do not have a WSDL, yet WSPolicy also applies to web services clients
WS-Policy Framework • WS-Policy, defines a framework for describing policy assertions. • WS-PolicyAttachment, describes how policies are attached to resource [e.g. WSDL] • WS-PolicyAssertions, describes a common set of assertions that are applicable across different domains.
WS-Policy • Basic operators wsp:All wsp:ExactlyOne
WS-Policy -Example <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <A/> <B/> </wsp:All> <wsp:All> <A/> <C/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
WS-Policy • • • • <wsp:All> and <wsp:ExactlyOne> are commutative <wsp:All> and <wsp:ExactlyOne> are associative <wsp:All> and <wsp:ExactlyOne> are idempotent <wsp:All> and <wsp:ExactlyOne> are distributive
WS-SecurityPolicy • • • • • Based on WS-Policy Various groups of policy assertions Expressed in WSDL Defines six policy assertions that apply to WS-Security To express security requirements of a Web service according to the WS-Policy spec – What needs to be protected – What tokens to use – Algorithms, reference types, etc..
Assertion Types • • • • • • Protection assertions Required Elements Assertion Token assertions Security Binding assertions Supporting token assertions Protocol assertions
Protection Assertions • Specify what needs to be protected – Integrity Assertions – Confidentiality Assertions
Protection Assertions - Integrity SignedParts This assertion specifies the parts of the message that need integrity protection. <sp:SignedParts ... > <sp:Body /> <sp:Header Name="" Namespace=""/> </sp:SignedParts>
Protection Assertions - Integrity SignedElements This assertion is used to specify arbitrary elements in the message that require integrity protection. <sp:SignedElements XPathVersion="“ > <sp:XPath>xs:string</sp:XPath> </sp:SignedElements>
Protection Assertions Confidentiality EncryptedParts This assertion specifies the parts of the message that need confidentiality protection. . <sp:EncryptedParts ... > <sp:Body /> <sp:Header Name="" Namespace=""/> </sp:EncryptedParts >
Protection Assertions Confidentiality EncryptedElements This assertion is used to specify arbitrary elements in the message that require confidentiality protection. <sp:EncryptedElements XPathVersion="“ > <sp:XPath>xs:string</sp:XPath> </ sp:EncryptedElements >
Protection Assertion Example <sp:SignedParts xmlns:sp="http://...securitypolicy"> <sp:Body/> <sp:Header Name="To" Namespace="http://.../ws/2004/08/addressing"/> <sp:Header Name="From" Namespace="http://.../ws/2004/08/addressing"/> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://...securitypolicy"> <sp:Body/> </sp:EncryptedParts>
Required Elements Assertion • This assertion is used to specify header elements that the message MUST contain. <sp:RequiredElements XPathVersion="”> <sp:XPath>…</sp:XPath> </sp:RequiredElements>
Token Assertions • Token assertions specify the type of tokens to use to protect or bind tokens and claims to the message. – UsernameToken – X. 509 – IssuedToken
Token Assertions UsernameToken • This element represents a requirement to include a UsernameToken <sp:UsernameToken sp:IncludeToken=“”> <wsp:Policy> <sp:WssUsernameToken11 ... /> </wsp:Policy> </sp:UsernameToken>
Token Assertions - IssuedToken • This element represents a requirement for an issued token, that is one issued by some token issuer. <sp:IssuedToken sp:IncludeToken=“”> <sp:Issuer>..</sp:Issuer> <sp:RequestSecurityTokenTemplate TrustVersion="" > </sp:RequestSecurityTokenTemplate> <wsp:Policy> </wsp:Policy> </sp:IssuedToken>
Token Assertions - IssuedToken • This element represents a requirement for an issued token, that is one issued by some token issuer.
Token Assertions – X.509 This element represents a requirement for a binary security token carrying an X509 token.
Token Assertions – X.509 <sp:X509Token sp:IncludeToken=""> <wsp:Policy> <sp:RequireKeyIdentifierReference /> <sp:RequireIssuerSerialReference /> <sp:RequireEmbeddedTokenReference /> <sp:RequireThumbprintReference /> <sp:WssX509V1Token10/> <sp:WssX509V3Token10 /> <sp:WssX509Pkcs7Token10 /> <sp:WssX509PkiPathV1Token10/> <sp:WssX509V1Token11/> <sp:WssX509V3Token11/> <sp:WssX509Pkcs7Token11/> <sp:WssX509PkiPathV1Token11/> </wsp:Policy> </sp:X509Token sp:IncludeToken>
Token Assertions • Token Inclusion – Never – Always – AlwaysToRecipient – Once
Token Assertions • What we didn‟t cover... – KerberosToken Assertion – SecurityContextToken Assertion – SecureConversationToken Assertion – SamlToken Assertion – HttpsToken Assertion
Security Bindings • A set of properties that together provide enough information to secure a given message exchange. • The bindings are identified primarily by the style of protection encryption used to protect the message exchange. • A binding defines the following security characteristics: • The minimum set of tokens that will be used and how they are bound to messages • Any necessary key transfer mechanisms • Any required message elements (e.g. timestamps) • The content and ordering of elements in the wsse:Security header. Elements not specified in the binding are not allowed. • How correlation of messages is performed securely (if applicable to the message pattern)
Security Binding Assertion • • • • • AlgorithmSuite Assertion Layout Assertion TransportBinding Assertion SymmetricBinding Assertion AsymmetricBinding Assertion
AlgorithmSuite • This assertion indicates a requirement for an algorithm suite <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> <sp:Basic192 /> <sp:Basic128/> <sp:TripleDes/> </wsp:Policy> </sp:AlgorithmSuite>
AlgorithmSuite
Layout This assertion indicates a requirement for a particular security header layout <sp:Layout> <wsp:Policy> </wsp:Policy> </sp:Layout>
Layout
TransportBinding • Indicates that the transport layer is used to satisfy the security requirements <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> ... </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> ... </sp:AlgorithmSuite> <sp:Layout> ... </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding>
TransportBinding
SymmetricBinding • Indicates that the message layer is used to satisfy the security requirements • Defines "Encryption Token" and "Signature Token" properties • Where multiple messages are exchanged the tokens perform the same functions for all messages
SymmetricBinding
AsymmetricBinding • Indicates that the message layer is used to satisfy the security requirements • Defines “Initiator Token” and “Recipient Token” properties • The Initiator Token is used for the message signature from initiator to recipient, and encryption from recipient to initiator. • The Recipient Token is used for encryption from initiator to recipient, and for the message signature from recipient to initiator. • Where multiple messages are exchanged the tokens perform different functions
AsymmetricBinding
SupportingTokens • Services may require multiple sets of claims to be presented • Corresponds to additional tokens in a message • Supporting tokens are included in the security header and may optionally include additional message parts to sign and/or encrypt.
SupportingTokens
SupportingTokens
EncryptedSupportingTokens • Encrypted supporting tokens are supporting tokens that are included in the security header and MUST be encrypted when they appear in the security header. Element encryption SHOULD be used for encrypting these tokens. • The encrypted supporting tokens can be added to any SOAP message and do not require the “message signature” being present before the encrypted supporting tokens are added. • Introduced in WS-Security Policy 1.2
SignedSupportingTokens • Token specified under this assertion will be signed by the message signature.
SignedSupportingTokens • If transport level security is used there won’t be any signature in the message.
SignedSupportingTokens
SignedEncryptedSupportingTokens • Signed, encrypted supporting tokens are Signed supporting tokens that are also encrypted when they appear in the wsse:Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
EndorsingSupportingTokens • Endorsing tokens sign the message signature, that is they sign the entire ds:Signature element produced from the message signature and may optionally include additional message parts to sign and/or encrypt.
EndorsingSupportingTokens • When transport level security is used – there is no message signature and the signature generated by the supporting token will sign the Timestamp.
EndorsingSupportingTokens
EncryptedEndorsingSupportingTokens • Endorsing, encrypted supporting tokens are Endorsing supporting tokens that are also encrypted when they appear in the Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
SignedEndorsingSupportingTokens • Signed endorsing tokens sign the entire ds:Signature element produced from the message signature and are themselves signed by that message signature, that is both tokens (the token used for the message signature and the signed endorsing token) sign each other.
SignedEndorsingSupportingTokens • When transport level security level is used there will be no message signature and the signature generated by the supporting token will sign the Timestamp.
EncryptedSignedEndorsingSupportingTokens • Signed, endorsing, encrypted supporting tokens are signed, endorsing supporting tokens that are also encrypted when they appear in the wsse:Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
WSS Assertions • Specify supported version of WSS – sp:Wss10 – sp:Wss11 • Specify supported token reference mechanisms via boolean properties • Specify Signature Confirmation requirements for WSS 1.1
WSS10 Assertions
WSS10 Assertions
WSS11 Assertions
WSS11 Assertions
Trust Assertions • Specify supported version of WS-Trust and associated properties – sp:Trust10 <sp:Trust10> <wsp:Policy> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10>
Trust Assertions
Associating a Policy • Define the policy within the WSDL [ in the WSDL it self or pointed to from the WSDL] • Stand alone policy which points back to the web service or services associated with it – Arbitrary Resource Attachment
Associating a Policy Arbitrary Resource Attachment <wsp:PolicyAttachment> <wsp:AppliesTo> <wsp:EndpointReference> <wsp:ServiceName Name=“”/> <wsp:PortType Name=“”/> <wsp:Address URI=“”/> </wsp:EndpointReference> </wsp:AppliesTo> <wsp:PolicyReference Ref=“..../policy.xml/> </wsp:PolicyAttachment>
Associating a Policy Define the policy within the WSDL - Policy can be attached to different locations in the WSDL, which will give different meanings. - Policy that is attached higher in the hierarchy is inherited. - If lower level element has a policy defined for it, the parent‟s attached policy will be merged with the child‟s policy.
The Main Structure of WSDL <definition namespace = “http/… “> <type> xschema types </type> <message> … </message> <port> a set of operations </port> <binding> communication protocols </binding> <service> a list of binding and ports </service> <definition>
Policy Subjects • WS-Policy Attachment defines various attachment points for policy. – Message Policy Subject – Operation Policy Subject – Endpoint Policy Subject
Message Policy Subject • • • • wsdl:message wsdl:portType/wsdl:operation/wsdl:input wsdl:portType/wsdl:operation/wsdl:output wsdl:portType/wsdl:operation/wsdl:fault
Operation Policy Subject • wsdl:portType/wsdl:operation • wsdl:binding/wsdl:operation
Endpoint Policy Subject • wsdl:portType • wsdl:binding • wsdl:port
Associating a Policy Define the policy within the WSDL <wsdl> ............. <wsp:UsingPolicy wsdl:required=“true”/> <wsdl:message name=“LookupResponse” wsp:PolicyRef=“Q1” /> ............. </wsdl>
Associating a Policy Define the policy within the WSDL <Policy Name=“Q1”> </Policy>
Associating a Policy Define the policy within the WSDL <Policy Name=“Q1”> </Policy>
Normal Form • Policy as a collection of policy alternatives • A policy alternative as a collection of assertions • Composed of a single <wsp:ExactlyOne> operator containing one or more <wsp:All> operators.
Normal Form
Nested Assertions • Nested assertions describe requirements and alternatives for the enclosing assertion elements.
Nested Policy Normalization • If an assertion in a normal form contains a nested policy, it can at most contain ONE policy alternative.
Nested Policy Normalization
Nested Policy Normalization
Compatibility • Two assertions are compatible if the QName value of one assertion matches with a Qname value of the other assertion. • Two policies are compatible if an alternative in one is compatible with an alternative in the other. If two policies are compatible, their intersection is the set of the intersections between all pairs of compatible alternatives, choosing one alternative from each policy. If two policies are not compatible, their intersection has no policy alternatives.
Policy Intersection • Useful when two or more parties express policy and want to limit the policy alternatives to those that are mutually compatible. • Intersection takes two policies and returns a policy. • There are two modes for intersection: strict and lax. How the mode is selected or indicated for the policy intersection is outside the scope of this specification.
Policy Intersection • • If the mode is strict, two policy alternatives A and B are compatible: • if each assertion in A is compatible with an assertion in B, and • if each assertion in B is compatible with an assertion in A. If the mode is lax, two policy alternatives A and B are compatible: • if each assertion in A that is not an ignorable policy assertion is compatible with an assertion in B, and • if each assertion in B that is not an ignorable policy assertion is compatible with an assertion in A.
lean . enterprise . middleware

More Related Content

PPTX
WS - Security
byPrabath Siriwardena
 
PPTX
XML Signature
byPrabath Siriwardena
 
PPTX
WS-Trust
byPrabath Siriwardena
 
PDF
Web Service Security
byPrabath Siriwardena
 
PPTX
Web Service Security
byLuqman Shareef
 
PDF
OpenOffice.org Digital Signatures, OOoCon 2004
byMalte Timmermann
 
PDF
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
Pgp security mule
bySindhu VL
 
WS - Security
byPrabath Siriwardena
 
XML Signature
byPrabath Siriwardena
 
WS-Trust
byPrabath Siriwardena
 
Web Service Security
byPrabath Siriwardena
 
Web Service Security
byLuqman Shareef
 
OpenOffice.org Digital Signatures, OOoCon 2004
byMalte Timmermann
 
Microservices Security Landscape
byPrabath Siriwardena
 
Pgp security mule
bySindhu VL
 

Viewers also liked

PPTX
XML Encryption
byPrabath Siriwardena
 
PPTX
Web Services - A brief overview
byRaveendra Bhat
 
PPTX
Web services - A Practical Approach
byMadhaiyan Muthu
 
PPTX
Web Services - Architecture and SOAP (part 1)
byMartin Necasky
 
PDF
Web Services
byKatrien Verbert
 
PDF
Web Services Tutorial
byLorna Mitchell
 
PDF
Web service introduction
bySagara Gunathunga
 
PDF
Web Services (SOAP, WSDL, UDDI)
byPeter R. Egli
 
PPT
Web Service Presentation
byguest0df6b0
 
PPTX
Webservices Overview : XML RPC, SOAP and REST
byPradeep Kumar
 
XML Encryption
byPrabath Siriwardena
 
Web Services - A brief overview
byRaveendra Bhat
 
Web services - A Practical Approach
byMadhaiyan Muthu
 
Web Services - Architecture and SOAP (part 1)
byMartin Necasky
 
Web Services
byKatrien Verbert
 
Web Services Tutorial
byLorna Mitchell
 
Web service introduction
bySagara Gunathunga
 
Web Services (SOAP, WSDL, UDDI)
byPeter R. Egli
 
Web Service Presentation
byguest0df6b0
 
Webservices Overview : XML RPC, SOAP and REST
byPradeep Kumar
 

Similar to WS - SecurityPolicy

PPT
WS-Security-Clement-Song-basic-concepts.ppt
byVinturisDiana
 
PDF
Secured SOA
byPrabath Siriwardena
 
PDF
WSO2 SOA Security
byWSO2
 
PPTX
WCF security
byOrbit One - We create coherence
 
PPTX
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin
 
PPTX
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin2
 
PPT
Pattern For Ws Security
byGianfranco Conti
 
PPT
Identity, Security and XML Web Services
byJorgen Thelin
 
PDF
Secured SOA
byWSO2
 
PPT
Web Service Security note for teaching.ppt
byfirehiwot8
 
PDF
Secure Messages with IBM WebSphere MQ Advanced Message Security
byMorag Hughson
 
PDF
WS-PolicyAttachment: Message Content Filters 1.1
bySarah Duffy
 
PPTX
Lunch Learn - WCF Security
byPaul Senatillaka
 
PDF
Security Patterns with WSO2 ESB
byWSO2
 
PPT
Websphere - About Websphere ssl part ii
byVibrant Technologies & Computers
 
PPT
Websphere - Introduction to ssl part ii
byVibrant Technologies & Computers
 
PPT
SOA Security Model For EAI
byvivekjv
 
PPTX
Parallel and distributed computing .pptx
byAmnaNadeem27
 
PDF
What is Advanced Web Servicels.pdf
byAngelicaPantaleon3
 
PDF
Summer School - Security in SOA
byWSO2
 
WS-Security-Clement-Song-basic-concepts.ppt
byVinturisDiana
 
Secured SOA
byPrabath Siriwardena
 
WSO2 SOA Security
byWSO2
 
WCF security
byOrbit One - We create coherence
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
bypetarvucetin2
 
Pattern For Ws Security
byGianfranco Conti
 
Identity, Security and XML Web Services
byJorgen Thelin
 
Secured SOA
byWSO2
 
Web Service Security note for teaching.ppt
byfirehiwot8
 
Secure Messages with IBM WebSphere MQ Advanced Message Security
byMorag Hughson
 
WS-PolicyAttachment: Message Content Filters 1.1
bySarah Duffy
 
Lunch Learn - WCF Security
byPaul Senatillaka
 
Security Patterns with WSO2 ESB
byWSO2
 
Websphere - About Websphere ssl part ii
byVibrant Technologies & Computers
 
Websphere - Introduction to ssl part ii
byVibrant Technologies & Computers
 
SOA Security Model For EAI
byvivekjv
 
Parallel and distributed computing .pptx
byAmnaNadeem27
 
What is Advanced Web Servicels.pdf
byAngelicaPantaleon3
 
Summer School - Security in SOA
byWSO2
 

More from Prabath Siriwardena

PDF
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Identity is Eating the World!
byPrabath Siriwardena
 
PPTX
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PDF
GDPR for Identity Architects
byPrabath Siriwardena
 
PDF
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
PDF
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
PDF
Identity Management for Web Application Developers
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PPTX
API Security : Patterns and Practices
byPrabath Siriwardena
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
PPTX
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
PPTX
The Evolution of Internet Identity
byPrabath Siriwardena
 
PPTX
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
PPTX
Securing Insecure
byPrabath Siriwardena
 
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Identity is Eating the World!
byPrabath Siriwardena
 
Microservices Security Landscape
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
GDPR for Identity Architects
byPrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
Identity Management for Web Application Developers
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Open Standards in Identity Management
byPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
API Security : Patterns and Practices
byPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
The Evolution of Internet Identity
byPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
Securing Insecure
byPrabath Siriwardena
 

Recently uploaded

PPTX
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PDF
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
PDF
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PPTX
Renal Physiology- Juxtaglomerular Apparatus.pptx
byDisha Soriya
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PDF
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PDF
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PPTX
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
Renal Physiology- Juxtaglomerular Apparatus.pptx
byDisha Soriya
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 

WS - SecurityPolicy

  • 1.
    WS – SecurityPolicy Prabath Siriwardena Director, Security Architecture
  • 2.
    Why we needa policy ? • How come users get to know the security requirements of your web service? • Web service may need client to authenticate • Web service may need client to sign all his requests • Client may need some part of the response from the service to be encrypted • Client need the service to sign the entire response first and then encrypts
  • 3.
    WS-Policy • General frameworkfor endpoints to express requirements. • NOT just for security requirements • Requirements are expressed in terms of a „Policy‟ • WS-Policy is a set of specifications providing a generalized mechanism for describing policy in a machine readable way.
  • 4.
    WS-Policy & WSDL •WSDL focuses on function descriptions • Non-functional descriptions and QoS aspects are covered by WS-Policy • Web services clients do not have a WSDL, yet WSPolicy also applies to web services clients
  • 5.
    WS-Policy Framework • WS-Policy,defines a framework for describing policy assertions. • WS-PolicyAttachment, describes how policies are attached to resource [e.g. WSDL] • WS-PolicyAssertions, describes a common set of assertions that are applicable across different domains.
  • 6.
  • 7.
  • 8.
    WS-Policy • • • • <wsp:All> and <wsp:ExactlyOne>are commutative <wsp:All> and <wsp:ExactlyOne> are associative <wsp:All> and <wsp:ExactlyOne> are idempotent <wsp:All> and <wsp:ExactlyOne> are distributive
  • 9.
    WS-SecurityPolicy • • • • • Based on WS-Policy Variousgroups of policy assertions Expressed in WSDL Defines six policy assertions that apply to WS-Security To express security requirements of a Web service according to the WS-Policy spec – What needs to be protected – What tokens to use – Algorithms, reference types, etc..
  • 10.
    Assertion Types • • • • • • Protection assertions RequiredElements Assertion Token assertions Security Binding assertions Supporting token assertions Protocol assertions
  • 11.
    Protection Assertions • Specifywhat needs to be protected – Integrity Assertions – Confidentiality Assertions
  • 12.
    Protection Assertions -Integrity SignedParts This assertion specifies the parts of the message that need integrity protection. <sp:SignedParts ... > <sp:Body /> <sp:Header Name="" Namespace=""/> </sp:SignedParts>
  • 13.
    Protection Assertions -Integrity SignedElements This assertion is used to specify arbitrary elements in the message that require integrity protection. <sp:SignedElements XPathVersion="“ > <sp:XPath>xs:string</sp:XPath> </sp:SignedElements>
  • 14.
    Protection Assertions Confidentiality EncryptedParts Thisassertion specifies the parts of the message that need confidentiality protection. . <sp:EncryptedParts ... > <sp:Body /> <sp:Header Name="" Namespace=""/> </sp:EncryptedParts >
  • 15.
    Protection Assertions Confidentiality EncryptedElements Thisassertion is used to specify arbitrary elements in the message that require confidentiality protection. <sp:EncryptedElements XPathVersion="“ > <sp:XPath>xs:string</sp:XPath> </ sp:EncryptedElements >
  • 16.
    Protection Assertion Example <sp:SignedPartsxmlns:sp="http://...securitypolicy"> <sp:Body/> <sp:Header Name="To" Namespace="http://.../ws/2004/08/addressing"/> <sp:Header Name="From" Namespace="http://.../ws/2004/08/addressing"/> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://...securitypolicy"> <sp:Body/> </sp:EncryptedParts>
  • 17.
    Required Elements Assertion •This assertion is used to specify header elements that the message MUST contain. <sp:RequiredElements XPathVersion="”> <sp:XPath>…</sp:XPath> </sp:RequiredElements>
  • 18.
    Token Assertions • Tokenassertions specify the type of tokens to use to protect or bind tokens and claims to the message. – UsernameToken – X. 509 – IssuedToken
  • 19.
    Token Assertions UsernameToken •This element represents a requirement to include a UsernameToken <sp:UsernameToken sp:IncludeToken=“”> <wsp:Policy> <sp:WssUsernameToken11 ... /> </wsp:Policy> </sp:UsernameToken>
  • 20.
    Token Assertions -IssuedToken • This element represents a requirement for an issued token, that is one issued by some token issuer. <sp:IssuedToken sp:IncludeToken=“”> <sp:Issuer>..</sp:Issuer> <sp:RequestSecurityTokenTemplate TrustVersion="" > </sp:RequestSecurityTokenTemplate> <wsp:Policy> </wsp:Policy> </sp:IssuedToken>
  • 21.
    Token Assertions -IssuedToken • This element represents a requirement for an issued token, that is one issued by some token issuer.
  • 22.
    Token Assertions –X.509 This element represents a requirement for a binary security token carrying an X509 token.
  • 23.
    Token Assertions –X.509 <sp:X509Token sp:IncludeToken=""> <wsp:Policy> <sp:RequireKeyIdentifierReference /> <sp:RequireIssuerSerialReference /> <sp:RequireEmbeddedTokenReference /> <sp:RequireThumbprintReference /> <sp:WssX509V1Token10/> <sp:WssX509V3Token10 /> <sp:WssX509Pkcs7Token10 /> <sp:WssX509PkiPathV1Token10/> <sp:WssX509V1Token11/> <sp:WssX509V3Token11/> <sp:WssX509Pkcs7Token11/> <sp:WssX509PkiPathV1Token11/> </wsp:Policy> </sp:X509Token sp:IncludeToken>
  • 24.
    Token Assertions • TokenInclusion – Never – Always – AlwaysToRecipient – Once
  • 25.
    Token Assertions • Whatwe didn‟t cover... – KerberosToken Assertion – SecurityContextToken Assertion – SecureConversationToken Assertion – SamlToken Assertion – HttpsToken Assertion
  • 26.
    Security Bindings • Aset of properties that together provide enough information to secure a given message exchange. • The bindings are identified primarily by the style of protection encryption used to protect the message exchange. • A binding defines the following security characteristics: • The minimum set of tokens that will be used and how they are bound to messages • Any necessary key transfer mechanisms • Any required message elements (e.g. timestamps) • The content and ordering of elements in the wsse:Security header. Elements not specified in the binding are not allowed. • How correlation of messages is performed securely (if applicable to the message pattern)
  • 27.
    Security Binding Assertion • • • • • AlgorithmSuiteAssertion Layout Assertion TransportBinding Assertion SymmetricBinding Assertion AsymmetricBinding Assertion
  • 28.
    AlgorithmSuite • This assertionindicates a requirement for an algorithm suite <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> <sp:Basic192 /> <sp:Basic128/> <sp:TripleDes/> </wsp:Policy> </sp:AlgorithmSuite>
  • 29.
  • 30.
    Layout This assertion indicatesa requirement for a particular security header layout <sp:Layout> <wsp:Policy> </wsp:Policy> </sp:Layout>
  • 31.
  • 32.
    TransportBinding • Indicates thatthe transport layer is used to satisfy the security requirements <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> ... </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> ... </sp:AlgorithmSuite> <sp:Layout> ... </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding>
  • 33.
  • 34.
    SymmetricBinding • Indicates thatthe message layer is used to satisfy the security requirements • Defines "Encryption Token" and "Signature Token" properties • Where multiple messages are exchanged the tokens perform the same functions for all messages
  • 35.
  • 36.
    AsymmetricBinding • Indicates thatthe message layer is used to satisfy the security requirements • Defines “Initiator Token” and “Recipient Token” properties • The Initiator Token is used for the message signature from initiator to recipient, and encryption from recipient to initiator. • The Recipient Token is used for encryption from initiator to recipient, and for the message signature from recipient to initiator. • Where multiple messages are exchanged the tokens perform different functions
  • 37.
  • 38.
    SupportingTokens • Services mayrequire multiple sets of claims to be presented • Corresponds to additional tokens in a message • Supporting tokens are included in the security header and may optionally include additional message parts to sign and/or encrypt.
  • 39.
  • 40.
  • 41.
    EncryptedSupportingTokens • Encrypted supportingtokens are supporting tokens that are included in the security header and MUST be encrypted when they appear in the security header. Element encryption SHOULD be used for encrypting these tokens. • The encrypted supporting tokens can be added to any SOAP message and do not require the “message signature” being present before the encrypted supporting tokens are added. • Introduced in WS-Security Policy 1.2
  • 42.
    SignedSupportingTokens • Token specifiedunder this assertion will be signed by the message signature.
  • 43.
    SignedSupportingTokens • If transportlevel security is used there won’t be any signature in the message.
  • 44.
  • 45.
    SignedEncryptedSupportingTokens • Signed, encryptedsupporting tokens are Signed supporting tokens that are also encrypted when they appear in the wsse:Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
  • 46.
    EndorsingSupportingTokens • Endorsing tokenssign the message signature, that is they sign the entire ds:Signature element produced from the message signature and may optionally include additional message parts to sign and/or encrypt.
  • 47.
    EndorsingSupportingTokens • When transportlevel security is used – there is no message signature and the signature generated by the supporting token will sign the Timestamp.
  • 48.
  • 49.
    EncryptedEndorsingSupportingTokens • Endorsing, encryptedsupporting tokens are Endorsing supporting tokens that are also encrypted when they appear in the Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
  • 50.
    SignedEndorsingSupportingTokens • Signed endorsing tokenssign the entire ds:Signature element produced from the message signature and are themselves signed by that message signature, that is both tokens (the token used for the message signature and the signed endorsing token) sign each other.
  • 51.
    SignedEndorsingSupportingTokens • When transport levelsecurity level is used there will be no message signature and the signature generated by the supporting token will sign the Timestamp.
  • 52.
    EncryptedSignedEndorsingSupportingTokens • Signed, endorsing,encrypted supporting tokens are signed, endorsing supporting tokens that are also encrypted when they appear in the wsse:Security header. Element Encryption SHOULD be used for encrypting the supporting tokens. • Introduced in WS-Security Policy 1.2
  • 53.
    WSS Assertions • Specifysupported version of WSS – sp:Wss10 – sp:Wss11 • Specify supported token reference mechanisms via boolean properties • Specify Signature Confirmation requirements for WSS 1.1
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
    Trust Assertions • Specifysupported version of WS-Trust and associated properties – sp:Trust10 <sp:Trust10> <wsp:Policy> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10>
  • 59.
  • 60.
    Associating a Policy •Define the policy within the WSDL [ in the WSDL it self or pointed to from the WSDL] • Stand alone policy which points back to the web service or services associated with it – Arbitrary Resource Attachment
  • 61.
    Associating a Policy ArbitraryResource Attachment <wsp:PolicyAttachment> <wsp:AppliesTo> <wsp:EndpointReference> <wsp:ServiceName Name=“”/> <wsp:PortType Name=“”/> <wsp:Address URI=“”/> </wsp:EndpointReference> </wsp:AppliesTo> <wsp:PolicyReference Ref=“..../policy.xml/> </wsp:PolicyAttachment>
  • 62.
    Associating a Policy Definethe policy within the WSDL - Policy can be attached to different locations in the WSDL, which will give different meanings. - Policy that is attached higher in the hierarchy is inherited. - If lower level element has a policy defined for it, the parent‟s attached policy will be merged with the child‟s policy.
  • 63.
    The Main Structureof WSDL <definition namespace = “http/… “> <type> xschema types </type> <message> … </message> <port> a set of operations </port> <binding> communication protocols </binding> <service> a list of binding and ports </service> <definition>
  • 64.
    Policy Subjects • WS-PolicyAttachment defines various attachment points for policy. – Message Policy Subject – Operation Policy Subject – Endpoint Policy Subject
  • 65.
  • 66.
    Operation Policy Subject •wsdl:portType/wsdl:operation • wsdl:binding/wsdl:operation
  • 67.
    Endpoint Policy Subject •wsdl:portType • wsdl:binding • wsdl:port
  • 68.
    Associating a Policy Definethe policy within the WSDL <wsdl> ............. <wsp:UsingPolicy wsdl:required=“true”/> <wsdl:message name=“LookupResponse” wsp:PolicyRef=“Q1” /> ............. </wsdl>
  • 69.
    Associating a Policy Definethe policy within the WSDL <Policy Name=“Q1”> </Policy>
  • 70.
    Associating a Policy Definethe policy within the WSDL <Policy Name=“Q1”> </Policy>
  • 71.
    Normal Form • Policyas a collection of policy alternatives • A policy alternative as a collection of assertions • Composed of a single <wsp:ExactlyOne> operator containing one or more <wsp:All> operators.
  • 72.
  • 73.
    Nested Assertions • Nestedassertions describe requirements and alternatives for the enclosing assertion elements.
  • 74.
    Nested Policy Normalization •If an assertion in a normal form contains a nested policy, it can at most contain ONE policy alternative.
  • 75.
  • 76.
  • 77.
    Compatibility • Two assertionsare compatible if the QName value of one assertion matches with a Qname value of the other assertion. • Two policies are compatible if an alternative in one is compatible with an alternative in the other. If two policies are compatible, their intersection is the set of the intersections between all pairs of compatible alternatives, choosing one alternative from each policy. If two policies are not compatible, their intersection has no policy alternatives.
  • 78.
    Policy Intersection • Usefulwhen two or more parties express policy and want to limit the policy alternatives to those that are mutually compatible. • Intersection takes two policies and returns a policy. • There are two modes for intersection: strict and lax. How the mode is selected or indicated for the policy intersection is outside the scope of this specification.
  • 79.
    Policy Intersection • • If themode is strict, two policy alternatives A and B are compatible: • if each assertion in A is compatible with an assertion in B, and • if each assertion in B is compatible with an assertion in A. If the mode is lax, two policy alternatives A and B are compatible: • if each assertion in A that is not an ignorable policy assertion is compatible with an assertion in B, and • if each assertion in B that is not an ignorable policy assertion is compatible with an assertion in A.
  • 83.
    lean . enterprise. middleware