Docstoc

Web Services Security (PDF)

Document Sample
Web Services Security (PDF) Powered By Docstoc
					                                                    ®




         IBM Software




Web Services Security
Theory & Practice

                        Mike Edwards & Hedley Proctor
                        IBM Hursley Park
         IBM Software


Agenda


     Web Services Security Specifications
     WS-I Security Profile
     Web Services Security in WebSphere
     Links and References
     Demonstration of Secure Interoperable Web Services
             .NET client to WebSphere Server




                                                          2
       IBM Software


Web Services Security Specifications




                                       3
           IBM Software


Web Services Security: Road Map

                 WS-Security Family

  WS-Secure
                   WS-Federation   WS-Authorization
                                                      WS-Security describes
 Conversation                                         extensions for digital
                                                      signature, encryption and
  WS-Policy           WS-Trust        WS-Privacy      security tokens as the
                                                      foundation for other security
                                                      specifications.
                  WS-Security
                                                      WS-Security was submitted
                                                      to an OASIS technical
                SOAP Foundation                       committee in September
                                                      2002. It became 1.0
                                                      specification in Apr 6 2004.



                                                                                 4
          IBM Software


WS-Security - Objectives
         WS-Security is a message level standard defined how to secure
         SOAP messages
         Offers better performance than transport level security



                                 Applying Security
                                 To Web Services



               WS-Security                                SSL
            SOAP Message Level                       Transport Level
                 Security                               Security


   Authorization         Confidentiality         Integrity
     username                Message                 Security
     password               Encryption                Token

                                                                         5
      IBM Software


WS-Security: Components
     WS-Security is a message level standard defined how to secure
     SOAP messages, using

          XML Digital Signature:
           •   Digitally sign the SOAP XML document, providing integrity,
               authenticity, and signer authentication – JSR 105 address
               programmatically

          XML Encryption:
           •   Process for encrypting data and representing the result in XML
               providing confidentiality – JSR 106 address programmatically

          XML Canonicalization:
           •   provides normalized XML document that can be digitally signed
               and verified

          Credential propagation through security tokens

          Applies to SOAP/HTTP and SOAP/JMS

                                                                                6
       IBM Software


WS-Security Security Tokens
      WS-Security support following types of security tokens that can be passed in the
      SOAP message

            BasicAuth
             • Generates <wsse:UsernameToken> with <wsse:Username> and
                <wsse:Password>

            Signature:
              • Non-XML format security tokens, like X.509 certificate and Kerberos (coming
                in near future) tickets (defined in the WS-Security specification)
              • Specifies binary security token as a byte array
              • Generates <ds:Signature> and <wsse:BinarySecurityToken>
              • Distinguished Name of a certificate is used for authentication
            IDAssertion
              • Generates <wsse:UsernameToken> with <wsse:Username>
            LTPA
              • Generates <wsse:BinarySecurityToken>
            Custom Token



                                                                                              7
       IBM Software


Message Level Integrity

      Provides way to ensure message integrity of SOAP messages
      in multi-hop environment
          SSL provides message integrity, but in one hop scenario (point to
          point)
          XML digital signature used to provide message level integrity in a multi
          hop scenario

      Client defines required integrity for one or more of the
      following
            •   Body
            •   Security Token
            •   Timestamp
      Server needs to make sure that appropriate part of the message
      has required integrity
          Fault is generated if required integrity is not satisfied




                                                                                     8
        IBM Software


Message Level Confidentiality (Encryption)

      Encryption provided by WS-Security is based on the XML
      Encryption specification
           JSR 106 proposal defines APIs to allow application programmatically
           encrypt a XML document

      Client defines required Confidentiality for one or more of the
      following
            •   Body Content
            •   User name and password for Basic Authentication, ID assertion
                (user name)

      Server needs to make sure that appropriate part of the message
      has required Confidentiality
           Fault is generated if required confidentiality is not satisfied




                                                                                 9
        IBM Software


WS-I Security Profile




                        10
       IBM Software


WS-I: Web Services Interoperability Organisation


       WS-I – open industry group promoting Web Services
       interoperability
           Profiles
             •Define usages of Web Services specifications for
              interoperability
            • Basic Profile 1.1
            • Attachments Profile 1.0
            • Basic Security Profile 1.0 (draft)
           Sample implementations
           Sniffer & Analyser
             •   Verify conformance to Profiles




                                                                 11
        IBM Software


WS-I Basic Security Profile 1.0


       Interoperability of security elements defined by WS-Security
       Transport Layer security
            Mandates use of TLS on HTTPS (SSL 2.0 not allowed)

       SOAP Message Security (WS-Security)
            Incl X.509 tokens

       XML Signature

       XML Encryption




                                                                      12
       IBM Software


Web Services Security in WebSphere




                                     13
                  IBM Software


WS-Security High Level Architecture
Security Token generation                                   Decrypt message
Digital Signature generation                                Digital Signature validation
Encrypt message                                             SecurityToken validation and setup security
                                                            context


               Client                                                      Application Server

             Request                                                         Request
                                                                                                      EJB
                                        SOAP body +                                                    or
        Security Handler                [ WS-Security headers          Security Handler              Java
                                         | transport headers ]
            Response                                                         Response                Bean




                               Decrypt message         Digital Signature
                               Digital Signature       generation
       Configuration           validation              Encrypt message          Configuration
       Deployment descriptor                                                    Deployment descriptor
       and service bindings                                                     and service bindings



                                                                                                            14
       IBM Software


WS-Security Implementation in WebSphere

      WS-Security is implemented as message level system handler
      and is registered to the Web Service runtime by the Application
      Server
           The handlers are referred to as the Security Handlers

      At the Requestor (Client):
           Security handler generates the required security headers in the
           SOAP message
           Called just before the message is sent out on the wire

      At the Provider (Server):
           Security handler is called to enforce the declared security
           constraint in the deployment descriptor
           Called prior to dispatching the request to the Web Service
           Provider (EJB or Java Beans) implementation



                                                                             15
       IBM Software


WS-Security Security Token Authentication Flow
                                           Authentication
                                               Authentication
                                                                       User Registry
                             Deployment         Mechanism
               Web            Descriptor
             Services                                                                           Custom
                                                            LTPA      LocalOS
              Engine          Security
                                              SWAM
                                                                                       LDAP
                              Handler


                                                                         Authenticate: user1/password
           SOAP/HTTP(s)

      wsse:UsernameToken                                                          user1
                                                                    Security                    Web
      <user1:password>                                              Handler                   Services
                                 SOAP       RPC                                                Engine
                                           Router
                                                                    Deployment            user1
                                                                     Descriptor

                                                                   RMI/IIOP
                                                                                  user1
                                                                                              user1
                        WebSphere                                    EJB
                        AppServer                                  Container
                                                                          user1                  Java
                                                                   EJB                           Bean



                                                                                                         16
       IBM Software


Specifying WS-Security - Deployment Model

      WS-Security requirements are specified as security constraints
      in the deployment descriptor
           The deployment descriptor specifies the security requirements for the
           deployed Web Services,
             •   For example, the deployment descriptors specify if the message
                 should be digitally signed, encrypted etc.
           Helps in Separation of Roles
             •   Developer of Web Service Provider/Client and the Assembler or
                 Deployer of Web Service
           No standard deployment model for the WS-Security defined so far

      The Security handlers act on these constraints to enforce WS-
      Security requirements




                                                                                   17
        IBM Software


WS-Security - Deployment Descriptor Files
      WS-Security defined in IBM extension/binding files – not part of
      J2EE 1.4 DDs
      Extension files define “WHAT TO DO”
           Server: ibm-webservices-ext.xmi
           Client: ibm-webservicesclient-ext.xmi

      Binding files define “HOW TO DO”
           Server: ibm-webservices-bnd.xmi
           Client: ibm-webservicesclient-bnd.xmi

      The IBM extension/binding files define message interaction
      between Sender and Receiver for Request and/or Response
      (can have different setting for each)
           Authentication type – Applicable to Request ONLY
           Integrity – Request and/or Response
           Confidentiality - Request and/or Response
           Time/Date stamp - Request and/or Response


                                                                         18
       IBM Software


Web Services Request and Response settings
      Extension and Binding files have sections for Request and Response
      security settings
        Server
        • ibm-webservices-ext.xmi
            − securityRequestReceiverServiceConfig
            − securityResponseSenderServiceConfig
        •   ibm-webservices-bnd.xmi
            − securityRequestReceiverBindingConfig
            − securityResponseSenderBindingConfig
        Client
        • ibm-webservicesclient-ext.xmi
            − securityRequestSenderServiceConfig
            − securityResponseReceiverServiceConfig
        •   ibm-webservicesclient-bnd.xmi
            − securityRequestSenderBindingConfig
            − securityResponseReceiverBindingConfig
      Values in Client RequestSender must be compatible with values in
      RequestReceiver

                                                                           19
      IBM Software


WS-Security SOAP Faults

      If the Security constraints requirements, as defined in the
      deployment descriptor, are not satisfied, a SOAP fault in the
      SOAP response will be send to the client

      Errors could result from:
          Invalid or unsupported type of security token, signing or encryption
          algorithms
          Invalid or unauthenticated or invalid security token (token that can not
          be authenticated)
          Signature verification failures
          Decryption failures
          Referenced security token could not be located




                                                                                     20
       IBM Software


WebSphere Support for Security Specifications

      WebSphere V5.02 and V5.1
           WS-Security Draft 13
           Username Token Profile Draft 0.2
           X.509 Security Token Profile Draft 0.4

      WebSphere V6.0
           SOAP Message Security 1.0 (“WS-Security 2004”)
           Username Token Profile 1.0
           X.509 Security Token Profile 1.0

      Also based on specifications for XML Digital Signature and
      XML Encryption



                                                                   21
           IBM Software


WS-Security in V6

  Focus on making WS-Security extensible in WAS
      WS-Security specification is flexible, this is the only way to support all the
      possible security combinations
      A pluggable architecture allows for others to add support for future
      specifications
       •   WS-Trust
       •   WS-Secure Conversation

  No APIs exposed
      Relevant JSRs are still in process and not complete
      Use deployment model to express security constraints




                                                                                       22
        IBM Software


WS-Security Extensibility

       Pluggable Signing / Encryption algorithms (based on the JCE
       framework)

       Pluggable Token
            Enhanced to support multiple tokens and tokens can be used
            for signature and encryption

       Pluggable KeyLocator
            Abstraction for locating a key for signature or encryption

       Signing or encryption any elements in the SOAP message
            Have to use XPath to specify the items within the message

       Order of signature or encryption is performed



                                                                         23
       IBM Software


Backward Level Support for Services


      Web Services with WS-Security in WAS V6 have different
      deployment descriptors than services in 5.X

      WAS V6 will include support for J2EE 1.3 services using earlier
      versions of WS-Security

      The Admin Console will provide different screens to configure back-
      level security for back-level services




                                                                            24
       IBM Software


Links & References


      Web Services Security Specifications
             http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
             message-security-1.0.pdf
             http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-
             token-profile-1.0.pdf
             http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-
             profile-1.0.pdf
             http://www.oasis-open.org/committees/download.php/8266/oasis-
             xxxxxx-wss-kerberos-token-profile-1%200.pdf (draft)
      WS-I
             http://www.ws-i.org
      WS-I Security Profile
             http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html




                                                                                     25
       IBM Software


Links & References (2)


       WS-Trust
           http://www-106.ibm.com/developerworks/library/specification/ws-trust/
       WS-Policy
           http://www-106.ibm.com/developerworks/library/specification/ws-
           polfram/
       WS-Federation
           http://www-106.ibm.com/developerworks/webservices/library/ws-fed/




                                                                                   26
       IBM Software


Useful Books and Articles


       Redbook: WebSphere Version 5.1 Application Developer 5.1.1 Web
       Services Handbook
           http://www.redbooks.ibm.com/abstracts/sg246891.html

       Redpaper: Federated Identity Management and Secure Web
       Services
           http://www.redbooks.ibm.com/abstracts/redp3678.html




                                                                        27
        IBM Software


Contact Details


       mike_edwards@uk.ibm.com

       proctor@uk.ibm.com




                                 28

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:17
posted:3/24/2011
language:English
pages:28