Get documents about "Web Services Security (PDF)
Document Sample
®
IBM Software
Web Services Security
Theory & Practice
Mike Edwards & Hedley Proctor
IBM Hursley Park
IBM Software
Agenda
Web Services Security Specifications
WS-I Security Profile
Web Services Security in WebSphere
Links and References
Demonstration of Secure Interoperable Web Services
.NET client to WebSphere Server
2
IBM Software
Web Services Security Specifications
3
IBM Software
Web Services Security: Road Map
WS-Security Family
WS-Secure
WS-Federation WS-Authorization
WS-Security describes
Conversation extensions for digital
signature, encryption and
WS-Policy WS-Trust WS-Privacy security tokens as the
foundation for other security
specifications.
WS-Security
WS-Security was submitted
to an OASIS technical
SOAP Foundation committee in September
2002. It became 1.0
specification in Apr 6 2004.
4
IBM Software
WS-Security - Objectives
WS-Security is a message level standard defined how to secure
SOAP messages
Offers better performance than transport level security
Applying Security
To Web Services
WS-Security SSL
SOAP Message Level Transport Level
Security Security
Authorization Confidentiality Integrity
username Message Security
password Encryption Token
5
IBM Software
WS-Security: Components
WS-Security is a message level standard defined how to secure
SOAP messages, using
XML Digital Signature:
• Digitally sign the SOAP XML document, providing integrity,
authenticity, and signer authentication – JSR 105 address
programmatically
XML Encryption:
• Process for encrypting data and representing the result in XML
providing confidentiality – JSR 106 address programmatically
XML Canonicalization:
• provides normalized XML document that can be digitally signed
and verified
Credential propagation through security tokens
Applies to SOAP/HTTP and SOAP/JMS
6
IBM Software
WS-Security Security Tokens
WS-Security support following types of security tokens that can be passed in the
SOAP message
BasicAuth
• Generates <wsse:UsernameToken> with <wsse:Username> and
<wsse:Password>
Signature:
• Non-XML format security tokens, like X.509 certificate and Kerberos (coming
in near future) tickets (defined in the WS-Security specification)
• Specifies binary security token as a byte array
• Generates <ds:Signature> and <wsse:BinarySecurityToken>
• Distinguished Name of a certificate is used for authentication
IDAssertion
• Generates <wsse:UsernameToken> with <wsse:Username>
LTPA
• Generates <wsse:BinarySecurityToken>
Custom Token
7
IBM Software
Message Level Integrity
Provides way to ensure message integrity of SOAP messages
in multi-hop environment
SSL provides message integrity, but in one hop scenario (point to
point)
XML digital signature used to provide message level integrity in a multi
hop scenario
Client defines required integrity for one or more of the
following
• Body
• Security Token
• Timestamp
Server needs to make sure that appropriate part of the message
has required integrity
Fault is generated if required integrity is not satisfied
8
IBM Software
Message Level Confidentiality (Encryption)
Encryption provided by WS-Security is based on the XML
Encryption specification
JSR 106 proposal defines APIs to allow application programmatically
encrypt a XML document
Client defines required Confidentiality for one or more of the
following
• Body Content
• User name and password for Basic Authentication, ID assertion
(user name)
Server needs to make sure that appropriate part of the message
has required Confidentiality
Fault is generated if required confidentiality is not satisfied
9
IBM Software
WS-I Security Profile
10
IBM Software
WS-I: Web Services Interoperability Organisation
WS-I – open industry group promoting Web Services
interoperability
Profiles
•Define usages of Web Services specifications for
interoperability
• Basic Profile 1.1
• Attachments Profile 1.0
• Basic Security Profile 1.0 (draft)
Sample implementations
Sniffer & Analyser
• Verify conformance to Profiles
11
IBM Software
WS-I Basic Security Profile 1.0
Interoperability of security elements defined by WS-Security
Transport Layer security
Mandates use of TLS on HTTPS (SSL 2.0 not allowed)
SOAP Message Security (WS-Security)
Incl X.509 tokens
XML Signature
XML Encryption
12
IBM Software
Web Services Security in WebSphere
13
IBM Software
WS-Security High Level Architecture
Security Token generation Decrypt message
Digital Signature generation Digital Signature validation
Encrypt message SecurityToken validation and setup security
context
Client Application Server
Request Request
EJB
SOAP body + or
Security Handler [ WS-Security headers Security Handler Java
| transport headers ]
Response Response Bean
Decrypt message Digital Signature
Digital Signature generation
Configuration validation Encrypt message Configuration
Deployment descriptor Deployment descriptor
and service bindings and service bindings
14
IBM Software
WS-Security Implementation in WebSphere
WS-Security is implemented as message level system handler
and is registered to the Web Service runtime by the Application
Server
The handlers are referred to as the Security Handlers
At the Requestor (Client):
Security handler generates the required security headers in the
SOAP message
Called just before the message is sent out on the wire
At the Provider (Server):
Security handler is called to enforce the declared security
constraint in the deployment descriptor
Called prior to dispatching the request to the Web Service
Provider (EJB or Java Beans) implementation
15
IBM Software
WS-Security Security Token Authentication Flow
Authentication
Authentication
User Registry
Deployment Mechanism
Web Descriptor
Services Custom
LTPA LocalOS
Engine Security
SWAM
LDAP
Handler
Authenticate: user1/password
SOAP/HTTP(s)
wsse:UsernameToken user1
Security Web
<user1:password> Handler Services
SOAP RPC Engine
Router
Deployment user1
Descriptor
RMI/IIOP
user1
user1
WebSphere EJB
AppServer Container
user1 Java
EJB Bean
16
IBM Software
Specifying WS-Security - Deployment Model
WS-Security requirements are specified as security constraints
in the deployment descriptor
The deployment descriptor specifies the security requirements for the
deployed Web Services,
• For example, the deployment descriptors specify if the message
should be digitally signed, encrypted etc.
Helps in Separation of Roles
• Developer of Web Service Provider/Client and the Assembler or
Deployer of Web Service
No standard deployment model for the WS-Security defined so far
The Security handlers act on these constraints to enforce WS-
Security requirements
17
IBM Software
WS-Security - Deployment Descriptor Files
WS-Security defined in IBM extension/binding files – not part of
J2EE 1.4 DDs
Extension files define “WHAT TO DO”
Server: ibm-webservices-ext.xmi
Client: ibm-webservicesclient-ext.xmi
Binding files define “HOW TO DO”
Server: ibm-webservices-bnd.xmi
Client: ibm-webservicesclient-bnd.xmi
The IBM extension/binding files define message interaction
between Sender and Receiver for Request and/or Response
(can have different setting for each)
Authentication type – Applicable to Request ONLY
Integrity – Request and/or Response
Confidentiality - Request and/or Response
Time/Date stamp - Request and/or Response
18
IBM Software
Web Services Request and Response settings
Extension and Binding files have sections for Request and Response
security settings
Server
• ibm-webservices-ext.xmi
− securityRequestReceiverServiceConfig
− securityResponseSenderServiceConfig
• ibm-webservices-bnd.xmi
− securityRequestReceiverBindingConfig
− securityResponseSenderBindingConfig
Client
• ibm-webservicesclient-ext.xmi
− securityRequestSenderServiceConfig
− securityResponseReceiverServiceConfig
• ibm-webservicesclient-bnd.xmi
− securityRequestSenderBindingConfig
− securityResponseReceiverBindingConfig
Values in Client RequestSender must be compatible with values in
RequestReceiver
19
IBM Software
WS-Security SOAP Faults
If the Security constraints requirements, as defined in the
deployment descriptor, are not satisfied, a SOAP fault in the
SOAP response will be send to the client
Errors could result from:
Invalid or unsupported type of security token, signing or encryption
algorithms
Invalid or unauthenticated or invalid security token (token that can not
be authenticated)
Signature verification failures
Decryption failures
Referenced security token could not be located
20
IBM Software
WebSphere Support for Security Specifications
WebSphere V5.02 and V5.1
WS-Security Draft 13
Username Token Profile Draft 0.2
X.509 Security Token Profile Draft 0.4
WebSphere V6.0
SOAP Message Security 1.0 (“WS-Security 2004”)
Username Token Profile 1.0
X.509 Security Token Profile 1.0
Also based on specifications for XML Digital Signature and
XML Encryption
21
IBM Software
WS-Security in V6
Focus on making WS-Security extensible in WAS
WS-Security specification is flexible, this is the only way to support all the
possible security combinations
A pluggable architecture allows for others to add support for future
specifications
• WS-Trust
• WS-Secure Conversation
No APIs exposed
Relevant JSRs are still in process and not complete
Use deployment model to express security constraints
22
IBM Software
WS-Security Extensibility
Pluggable Signing / Encryption algorithms (based on the JCE
framework)
Pluggable Token
Enhanced to support multiple tokens and tokens can be used
for signature and encryption
Pluggable KeyLocator
Abstraction for locating a key for signature or encryption
Signing or encryption any elements in the SOAP message
Have to use XPath to specify the items within the message
Order of signature or encryption is performed
23
IBM Software
Backward Level Support for Services
Web Services with WS-Security in WAS V6 have different
deployment descriptors than services in 5.X
WAS V6 will include support for J2EE 1.3 services using earlier
versions of WS-Security
The Admin Console will provide different screens to configure back-
level security for back-level services
24
IBM Software
Links & References
Web Services Security Specifications
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
message-security-1.0.pdf
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-
token-profile-1.0.pdf
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-
profile-1.0.pdf
http://www.oasis-open.org/committees/download.php/8266/oasis-
xxxxxx-wss-kerberos-token-profile-1%200.pdf (draft)
WS-I
http://www.ws-i.org
WS-I Security Profile
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html
25
IBM Software
Links & References (2)
WS-Trust
http://www-106.ibm.com/developerworks/library/specification/ws-trust/
WS-Policy
http://www-106.ibm.com/developerworks/library/specification/ws-
polfram/
WS-Federation
http://www-106.ibm.com/developerworks/webservices/library/ws-fed/
26
IBM Software
Useful Books and Articles
Redbook: WebSphere Version 5.1 Application Developer 5.1.1 Web
Services Handbook
http://www.redbooks.ibm.com/abstracts/sg246891.html
Redpaper: Federated Identity Management and Secure Web
Services
http://www.redbooks.ibm.com/abstracts/redp3678.html
27
IBM Software
Contact Details
mike_edwards@uk.ibm.com
proctor@uk.ibm.com
28
