WSO2 provides an open source cloud platform and removes barriers to enterprise agility. It focuses on business logic and value. This document discusses governance and security patterns for service-oriented architectures. It covers why SOA is used, what governance is, and security requirements and patterns. Security patterns allow identifying and authenticating users, authorizing access, and using protocols like OAuth for delegation. The document provides examples and implementations of patterns for requirements like role-based access control, claim-based authorization, and constrained delegation.
2. About WSO2
• Providing the only complete open source componentized cloud platform
• Dedicated to removing all the stumbling blocks to enterprise agility
• Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
• Gartner cites WSO2 as visionaries in all 3 categories of application
infrastructure
• Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
• 200+ employees and growing
• Business model of selling comprehensive support & maintenance for our products
4. • Introduction to Patterns
• Why Service Oriented Architecture?
• What is Governance?
• Governance Business Problems and Patterns
• Need for Security in SOA
• Security Requirements and Solution Patterns
Agenda
5. • Expose legacy system components as services
• Loose Coupling
• Interoperability
• Flexibility
• Business Process Composition
Why SOA?
6. A generic solution for a common recurring problem
• Used it before
• Error proof
• Catalog to pick one
Image Source: http://www.forbes.com/fdc/welcome_mjx.shtml
A Pattern
7. Managing the three Ps of Governance
• People roles & responsibilities
• Process design, execution and monitoring
• Policy definition and enforcements
Image Source: http://www.governanceinnovation.org/?pageID=whatis
What is Governance?
8. An organization has metadata related to different data types. They
need to capture relationships such as associations and
dependencies.
Business Scenario
9. • Model custom data types in a data repository
• Artifact governance
Pattern
12. An artifact is deployed across different environments: Dev, QA, Prod.
This artifact references some external resources, where the resource
need to change for each environment.
Business Scenario
14. - Manage service quality
- Manage business transactions
- Monitor and analyze transaction data
- Create dashboard and reports
Why Runtime Governance
15. An online travel reservation application allows users to
create/edit and cancel bookings.
- If >5 cancellations within 24 hours from a single user send
a notification to administrators
- Create dashboards and reports for MI purposes
Business Scenario
16. - Real time events monitoring and notifications
- Data analysis and presentation
Solution Pattern
19. • Business assets exposed to the outside as services to
be discovered
• Should facilitate interoperability and flexibility
Why Security in SOA?
20. After identifying the need for security in SOA, determine
the security requirements.
Security Requirements can fall under many categories.
A few examples:
• Identification and Authentication
• Authorization
Security Requirements
21. Image Source - http://www.mikeeckman.com/2013/02/how-much-do-you-think-about-privacy-on-the-internet/
Identification and Authentication
22. • Services need to identify and verify the claimed identity of internal
users of the organization.
• Services need to identify and verify the claimed identity of external
users from external organizations.
• Facilitate communication between clients and services which talk in
different authentication mechanisms.
• Avoid user credentials to be passed to backend services and avoid
user bypassing security processing.
Identification and Authentication Requirements
23. Requirement - Identify and verify the claimed identity of
internal users of the organization.
Authentication Pattern:
Direct Authentication
• Authenticating users with credentials stored internally.
• Credentials can be :
§ Username/password
§ Username token
§ X.509 certificates
Identification and Authentication Requirements
27. Requirement - Identify and verify the claimed identity of
external users – from external organizations.
Authentication Pattern:
Brokered Authentication
• Authenticating users outside the organization boundary.
• Trusting a token issued by a trusted party in partner organization.
• Brokered authentication based on WS-Trust with SAML.
Identification and Authentication Requirements
29. Requirement - Facilitate communication between clients and
services which talk in different authentication mechanisms.
Resource Access Pattern:
Protocol Transition
• ESB authenticates clients with the authentication
mechanism that they understand – e.g. Username Token
• Transform credentials to the form that service understands
e.g. Basic Auth
Identification and Authentication Requirements
31. Requirement - Avoid user credentials to be passed to backend
service and avoid user bypassing security processing.
Resource Access Pattern:
Trusted Sub System
• User authenticates to ESB with his/her credentials.
• Backend service trusts ESB.
• ESB accesses backend service on behalf of authenticated
user.
Identification and Authentication Requirements
32. Image Source - http://www.toolsjournal.com/integrations-articles/item/274-direct-and-brokered-authentication
User Credentials Submitted to Service + Bypassing Security
Processing
35. • Control access based on privileges of the users
• Control access based on user’s claims, in a fine grained
manner
• Delegated access
Authorization Requirements
36. Requirement - Control access based on privileges of the users.
e.g. Users in role ‘Teacher’ can update students’ reports while users in
role ‘Temporary Teacher’ can only view reports.
Authorization pattern:
Role Based Access Control
Assign users to roles.
Grant privileges to roles.
This is a coarse grained authorization model.
Authorization
38. Requirement - Control access based on user’s claims, in a fine
grained manner.
e.g. Reports of Art students could only be accessed by Teachers
with job title “Art Teacher”.
Authorization pattern:
Claim Based Authorization
• Provides fine grained authorization
• Policy based access control with XACML – provides
flexibility
Authorization
40. Requirement - Delegated access.
e.g. An application in a teacher’s mobile device needs to retrieve
the time table for the day from his account in the school’s
information system.
Authorization pattern:
Constrained Delegation
• Using OAuth
Authorization
43. Engage with WSO2
• Helping you get the most out of your deployments
• From project evaluation and inception to development
and going into production, WSO2 is your partner in
ensuring 100% project success