Docstoc

The Web Services _R_evolution

Document Sample
The Web Services _R_evolution Powered By Docstoc
					SOA Security

          Dr. Yuhong Yan




                           1
   Content

   • Security Issues overview
   • Security for SOA




Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning, 2008




                                                                            2
Security Issues Overview

•   Authentication
•   Authorization
•   Data confidentiality
•   Data integrity an nonrepudiation
•   Protection against attacks
•   Privacy protection




                                       3
New Security Approaches for SOA

• Besides the following issues
   – Authentication
   – Authorization
   – Data confidentiality
   – Data integrity an nonrepudiation
   – Protection against attacks
   – Privacy protection
• SOA has three new security approaches
   – Message-level security
   – Security as a service
   – Policy-driven security

                                          4
Authentication
                Verifying the identity of users
Evidence Type   Description           Example
What you know The secrete you and     Username-
              the system share        password;
                                      Challenge
                                      questions
What you have   Something that the    Hardware tokens;
                system knows that you The number on a
                have                  RSA
What you are    Biometric evidence    Fingerprint;
                                      Retina scan



                                                         5
Traditional Authentication Strategy

• The application is responsible for examining the
  evidence and validating it
   – A directory server that records all the user-
     password pairs
   – An algorithm that matches the number
     presented by the user and the number that is
     used on the RSA token




                                                     6
Authentication Strategy in SOA

#   Description                   Strategies
1   Service is invoked by a       Authenticate against the
    client in the same company    corporate directory
2   Service is invoked by         Authentication is carried on
    another service in the same   by the calling service;
    company                       Called service re-
                                  authenticates against the
                                  corporate directory
3   Service is invoked by a       Rely on partner app’s
    partner’s app                 assertion of user identity




                                                               7
Authorization
   Determine whether the identified user is
    authorized to access the functionality

• Another name: access control
• Compare authentication and authorization
   – Authentication: your photo ID
   – Authorization: allow to buy a drink?




                                              8
Traditional Authorization Strategy

• The application is responsible for authorization,
  some information used is in a directory server or
  a configuration repository
   – Access control models
      • Role-based Access Control
      • Access Control List (rules)




                                                  9
Authorization Strategy in SOA

• The composite app cannot hard code
  authorization function
• The individual services in the composite app
  have to do this




                                                 10
Data Confidentiality
    Data exchanged over a network needs to be safeguarded

• Traditional strategy to ensure data confidentiality
   – Encryption
   – Establish a secure channel
      • Secure Sockets Layer (SSL)/Transport Layer
        Security (TLS)




                                                       11
Data Confidentiality Protection Strategy in
SOA

                             • Encryption
                             • Establish a secure channel
                                – SSL/TLS
                             • Different recipients
                               process different part of
                               the message
      To ACME
My order      My acct info




                                  To bank
                             Acct info

         ACME                                          12
                                              bank
Data Integrity and Nonrepudiation
    Verify that the message received is what the sender
      sent; the sender should not able to deny having sent a
      msg

• SSL/TLS also helps in verifying the integrity and
  ensuring nonrepudiation
• SSL/TLS can be used for SOAP transport
   – Blanket encryption
• We can have selective encryption also




                                                          13
Protection Against Attacks

• Vulnerabilities in application code
   – SQL code
• Vulnerabilities introduced by poor administrative
  practices
   – The default password
• Vulnerabilities inherent in computing/network
  infrastructuure
   – TCP/IP




                                                  14
Traditional Strategy for Protection Against
Attacks

•   Using firewall
•   Run applications within sandboxes
•   Carefully audit application code
•   Use intrusion detection systems




                                          15
Strategy for Protection against Attacks in
SOA

• Vulnerable to denial of service (DoS) attacks
• No further discussion in this course




                                                  16
Privacy Protection
    Avoid leakage of users’ private information

• Flaws in access control rules
   – Who can access sensitive data
• Vulnerabilities exploited by attackers
   – Inject SQL that queries sensitive data




                                                  17
Strategy for Privacy Protection

• Enhance security
   – Remove the vulnerabilities
• Holding back real identifies
• Protect the patterns that associate with sensitive
  data
• No more discussion in this course




                                                   18
Extending SOAP with Headers for
Security




                                  19
Inside SOAP
SOAP message

  Envelope (required)

     Header (optional)
        Header Entry1
        …
        Header Entry n


     Body (required)
        Fault (optional)




                           20
Header

• For authentication, transaction management, and
  authorization, routing
• Standard extensions
• Customerized extensions




                                               21
Standard header entry attributes

• Who should deal with the header entry?
  – actor attribute: e.g. a URI
  – The chained nodes: intermediaries
• What do we do with the header entry?
  – mustUnderstand attribute: true /false
  – force the recipient to process the element, if
    not understandable, return a fault
• What do we parse data in the header entry?
  – encodingStyle attribute: e.g. XML schema



                                                     22
An Example for Header

<soapenv:Envelope
  xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>
<SOAP-ENV:Header>
  <ns1:PaymentAccount xmlns:ns1=“urn:ecerami”
 SOAP-ENV:actor=“http://schemas.xmlsoap.org/soap/actor/next””
SOAP-ENV:mustUnderstand=“true”
SOAP-ENV:encodingStyle
  =“http//schemas.xmlsoap.org/soap/encoding”>
        orsenigo473
  </ns1:PaymentAccount>
</SOAP-ENV:Header>




                                                           23
Fault

• faultCode
   – SOAP-ENV:VersionMismatch
   – SOAP-ENV:MustUnderstand
   – SOAP-ENV:Client (non existing methods)
   – SOAP-ENV:Server (not able to access DB)
• faultString
• faultActor
• Detail info about the fault




                                               24
   Fault

<?xml version=„1.0‟ encoding=„UTF-8‟?>
<SOAP-ENV:Envelope
    xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”
    xmlns:xsi=“http://www.w3.org/1999/XMLSchema-instance”
    xmlns:xsd=“http://www.s3.org/1999/XMLSchema”>
    <SOAP-ENV:Body>
         <SOAP-ENV:Fault>
              <faultcode xsi:type=“xsd:string”>SOAP-ENV:Client</faultcode>
              <faultstring xsi:type=“xsd:string”>
                  Failed to locate method (ValidateCreditCard) in class
                  (examplesCreditCard) at /usr/local/ActivePerl-5.6/lib/
                  site_perl/5.6.0/SOAP/Lite.pm line 1555.
              </faultstring>
         </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


                                                                       25
                                 P55. xml part (for faults)
WS-Security: Standard Extension for
Security




                                      26
Security Header: security claims

•   “My name is X.”
•   “X is authorized to access this resource.”
•   “This message is signed by X.”
•   “This message is encrypted using X’s public
    key.”




                                                  27
An Example for Security Header

<soapenv:Envelope
  xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>
<SOAP-ENV:Header>
  <wsse:Security …
 <wsse:UsernameToken wsuID=“1”>
     <wsse:Username>
        <xenc:EncryptedData> … </xenc:EncryptedData>
     </wsse:Username>
     <wsse:Password>
        <xenc:EncryptedData> … </xenc:EncryptedData>
     </wsse:Password>
  </wsse:UsernameToken>
</SOAP-ENV:Header>
</SOAP-ENV:Header>



                                                              28
Fault Code
              Code                   Description

UnsupportSecurityToken     An unsupported security token
                           was provided.
UnsupportedAlgorithm       An unsupported signature or
                           encryption algorithm was used.
InvalidSecurity            An error was discovered while
                           processing the security header.
InvalidSecurityToken       An invalid security token was
                           provided.
FailedAuthentication       The security token could not be
                           authenticated or authorized
FailedCheck                The signature or decryption is
                           invalid
SecurityTokenUnavailabel   Referenced security token could
                           not be retrieved
                                                            29
Programming on security headers

• The pattern of handler in JAX-RPC
   – Compose the elements in headers

• The chained handlers
   – Axis Web service deployment description
     (.wsdd)




                                               30
Intermediaries and WS-Addressing




source                 interm1             interm1             dest


<soapenv:Envelope
   xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>
<SOAP-ENV:Header>
   <was:To xmlns:was=“…/ws/2004/08/addressing”>
  http://localhost:8080/axis/services/example6                     WS-
  </was:To>                                                      Addressing
  <was:Action xmlns:was=“…/ws/2004/08/addressing”>
  </wasAction>
  <wsse:Security soapenv:actor=“…”>
  …
  </wsse:Security>
                                                                       31
</SOAP-ENV:Header>

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:1/13/2012
language:
pages:31