WSSecurity TC - PowerPoint PPT Presentation

About This Presentation
Title:

WSSecurity TC

Description:

Web Service Security Issues ... Durable: security is available at the business request / application layer ... Clients exchange security tokens and cache ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 23
Provided by: brenda2
Category:

less

Transcript and Presenter's Notes

Title: WSSecurity TC


1
WS-Security TC
  • Christopher Kaler
  • Kelvin Lawrence

2
Agenda
  • Context for WS-Security
  • WS-Security Elements and Example
  • TC Charter and Deliverables

3
Web Service Security Issues
Username/password
  • Getting easier to build web services but who is
    sending the messages?
  • Several approaches
  • SSL with username and password
  • SSL with X509 client certificates
  • VPN with Kerberos
  • XrML, SAML,
  • Challenges
  • Computational cost
  • Inflexibility
  • Firewalls
  • Distributed management
  • Hop-to-hop vs. end-to-end

Client certificates, Smart Cards,
VPN
4
Security and Web Services
  • Security in a Web Services World
  • Safer no exposure at intermediaries
  • Interoperable broad vendor support
  • Leverages XML signature and XML encryption
  • Flexible builds on web infrastructure
  • Works with HTTP, SMTP, and transports
  • Works over firewall, through the DB,
  • Durable security is available at the business
    request / application layer
  • Higher performance and scalability
  • Supports both public and symmetric keys
  • Clients exchange security tokens and cache
  • Easier a simple common approach for manageable
    authentication, authorization, and permissions

5
A Typical Challenge
Certification Partner
Business Partners
Web Service
Company A
6
A WS-Security Solution
Certification Partner
Business Partners
Web Service
Company A
7
How Does it Work?
  • Security tokens assert claims
  • Web services have policies
  • A security token service is just a web service
    that issues security tokens

8
Security Tokens
Security tokens assert claims
X.509, Kerberos, XrML, SAML,
Identity Keys Privileges, rights, capabilities
Custom

9
Policies
Services have policies
  • Policies describe the required claims
  • Security tokens assert the claims

Policy
Does the request havethe correct security tokens?
?
10
Security Token Service
A security token service issues security tokens
Security Token Service
Policy
Web Service
  • It is just a web service
  • A solution may require multiple token services

Policy
11
Agenda
  • Context for WS-Security
  • WS-Security Elements and Example
  • TC Charter and Deliverables

12
New SOAP ElementsWS-Security
  • New
  • Header
  • Existing
  • XML Signature
  • XML Encryption
  • Token formats (e.g., X.509, Kerberos, XrML, SAML)

13

...
  • SOAPactor is optional
  • One header per actor
  • All security information together
  • Sub-elements are pre-pendend
  • Supports multiple signatures

14
Elements In
  • Including and referencing security tokens
  • Signature
  • Encryption Manifest
  • Encrypted Attachments
  • Other

15
Simple Example
  • Requesting a stock quote
  • Security token indicates username
  • Signature uses key generated from password

16
Simple Example (1 of 2)
  • (001)
  • (002) xmlnsds/xmldsig"
  • (003)
  • (004) .org/rp/"
  • (005) http//fabrikam.org/getQuo
    te
  • (006) http//fabrikam.org/stocksto
  • (007) uuid84b9f5d0-33fb-4a81-b02b-5
    b760641c1d6
  • (008)
  • (009)
  • (010)
  • (011) Zoee
  • (012)
  • (013)
  • (014)
  • (015) Algorithm".../xml-exc-c14n"/
  • (016) Algorithm".../xmldsighmac-sha1"/

17
Simple Example (2 of 2)
  • (017) URI"MsgBody"
  • (018) Algorithm"http//.../xmldsigsha1"/
  • (019) LyLsF0Pi4wP
    U...
  • (020)
  • (021)
  • (022) DJbchm5gK...dsSignatureValue
  • (023)
  • (024)

  • (025) URI"MyID"/
  • (026)
  • (027)
  • (028)
  • (029)
  • (030)
  • (031)
  • (032) QQQStockSymbol
  • (033)

18
Agenda
  • Context for WS-Security
  • WS-Security Elements and Example
  • TC Charter and Deliverables

19
WS-Security TC Charter
Continue work on the Web service security
foundations published in the WS-Security
specification and under the context of the Web
Services Security roadmap
20
WS-Security TC Scope
  • Using XML signature to provide SOAP message
    integrity for Web services
  • Using XML encryption to provide SOAP message
    confidentiality for Web services
  • Attaching and/or referencing security tokens in
    headers of SOAP messages
  • Carrying security information for potentially
    multiple, designated actors
  • Associating signatures with security tokens
  • Representing specific forms of binary security
    tokens as defined in WS-Security specification.

21
WS-Security TC Deliverables
  • Accept as input the Web Services Security
    (WS-Security)
  • Produce as output a specification for Web
    Services Security. This specification will
    reflect refinements and changes made to the
    submitted version of WS-Security that are
    identified by the WSS TC members for additional
    functionality within the scope of the TC
    charter.
  • Liaise and/or forge relationships with other Web
    services efforts to assist in leveraging
    WS-Security as a part of their specifications or
    solutions.
  • Coordinate with the chairs of the other OASIS
    security related groups via the Security Joint
    Coordination Committee.
  • Oversee ongoing maintenance and errata of the
    WS-Security specification.

22
Questions
Write a Comment
User Comments (0)
About PowerShow.com