Web Services Security

							                         Web Services
        Brief Overview & Security
      Assertion Coordinator Pattern
                                        by
                          Mohammad Abushadi & Riaz Ahmed

                                       for
                                  Security Group
                                    CSE - FAU




Tuesday, June 10, 2003
                         Agenda

• Overview
           • W3C definition
           • Standards used
           • Tools
• Architecture
• Security Assertion Coordinator Pattern




Tuesday, June 10, 2003
                         Definition
  Software system identified by a URI(Uniform Resource
  Identifier) whose public interfaces and bindings are
  defined and described using XML. Its definition can be
  discovered by other software systems. These systems
  may then interact with the Web service in a manner
  prescribed by its definition, using XML based
  messages conveyed by Internet protocols. [W3C-1]




Tuesday, June 10, 2003
                         Example
        Orbitarium Web Service:               This is a web
        service for retrieving the astronomical positions of the
        Sun, Moon, and planets of the Solar System at the
        current time, or at any past present or future date. The
        service is free for public. [Orbit-1]

        Note: The service is up and running and freely available
        for public.




Tuesday, June 10, 2003
                          Standards
 • UDDI:         Universal Description, Discovery and Integration. Like yellow
     pages for Web Services. Service information. Can be public/global or
     private/local. [Uddi-1]

 • WSDL:           Web Services Description Language. Is XML based. To hold
     information like the web service interfaces, access protocols and so.
     Similar to IDL.

 • SOAP:          Simple Object Access Protocol. Is XML based. Uses http as
     mean of transfer, making it easy to work with firewalls since most
     firewalls allow http.

 • SAML:          Security Assertion Markup Language. Uses assertions. Three
     type of assertion: authentication, attribute and authorization. Is used on
     top of SOAP.



Tuesday, June 10, 2003
                         Tools
Two types: Microsoft or Java based.
• MS .NET Studio
• Sun One Studio
• IBM WebSphere
• BEA WebLogic
• and many more…




Tuesday, June 10, 2003
         Simple Architecture
                         HTTP
                         Server




       Client                         Web
                                     Service   DB
       Service
      URI/URL
                           UDDI
                         Directory
                           WSDL




Tuesday, June 10, 2003
Tuesday, June 10, 2003
Role-based Security Assertion
     Coordinator Pattern
              (by: Dr. Ed Fernandez, Mohammad Abushadi, Riaz Ahmed)




    Intent:
        Seamless exchange of security data in distributed environment while
        maintaining role based access controls to resources in organizations.




Tuesday, June 10, 2003
Context:
    A distributed environment including heterogeneous systems and web services.


Problem:
•   Current systems lack feasible solutions to the problem of providing precise access
    control to resources, often requiring custom-built approaches that may not be easy
    to upgrade or modify.

•   The growth of the number of networked business partners and their processes
    requires a means to exchange security information in a standardized format that is
    flexible to change at the same time.

•   Costs are involved in custom integration processes, where time becomes crucial in
    achieving a quicker time-to-market competitive advantage. Costs include
    developer cost and development time.


    Tuesday, June 10, 2003
• The security of the shared data becomes another concern.
  Consistency of data exchange has to be assured.

• Interoperability of systems across various implementation
  platforms stands as a
  significant obstacle.

• Adding a new layer of security verification policies often proves
  tedious and costly in the current systems.




   Tuesday, June 10, 2003
Problem:
• Distributed systems are in great need of integrating their inner processes that
  share commonly used data. Exchange of security related data in particular
  poses an important problem when the issues of interoperability is of concern.
  Organizations must be able to easily add new security layers across the
  distributed environment with little changes.

• Distributed environments must not resort to expensive global custom code
  changes in order to reflect new changes in security policies or data structure.

• Organizations in the distributed environment must have the ability to quickly
  achieve higher, more refined levels of security data control for better adherence
  to the continuously changing nature of organizational business rules.

• Each online destination site often has its own custom-made authentication
  system.


   Tuesday, June 10, 2003
Solution:

  Exchange security information using a standard. In particular,
  manage security data in the form of XML-based SAML assertions
  using the SOAP protocol over HTTP.




  Tuesday, June 10, 2003
Cont…




Tuesday, June 10, 2003
Cont…




   Tuesday, June 10, 2003
Cont…




   Tuesday, June 10, 2003
Cont…




   Tuesday, June 10, 2003
Consequences:
• Benefits:
   • Centralized data exchange
   • Standardized approach
   • Role-based access
   • Extensibility

• Liabilities:
   • Complex to implement
   • Computationally expensive




   Tuesday, June 10, 2003
Variants:

1.      Single Sign On

2.      Back Office Transactions




     Tuesday, June 10, 2003
                            Credits
    •   [W3C-1] http://www.w3.org/TR/2003/WD-ws-gloss-20030514/
    •   [Orbit-1] http://www.orbitarium.com/
    •   [Uddi-1] http://www.uddi.org
    •   [Prfct] http://www.perfectxml.com/articles/xml/interop.asp




Tuesday, June 10, 2003