Secure%20Web%20Services%20with

1
Secure Web Services with
Apache Rampart/C
2
Why to secure web services?
The world is not nice, as it seems !!!
3
Threats

• Common to distributed systems
• Specific to web services

4
Common threats

• Message replays
• Identity spoofing
• DOS attacks
• Message alteration/Integrity
• Confidentiality issues

5
Threats on web services

• Public disclosure UDDI, WSDL
• SOAP bound to HTTP/SMTP can easily pass through
  firewalls
• Unpredictable order of service invocation
• Less human scrutiny
• Limitations of SOAP
• Origin verification
• Integrity, confidentiality

6
That's why...

• WS-Security

7
Transport Level Vs Message Level Security
8
Why Message Level Security?

• Multiple intermediaries
• Operations to messages
• Observation
• Security even after the safe delivery
• Non-repudiation
• Secure specific parts of the message

?
9
Rampart/C Features

• Timestamps
• Username Token Profile
• X509 Token Profile
• SOAP message encryption
• SOAP message signature
• WS-Security Policy Support
• Replay detection

10
Overview
11
Detailed Architecture
12
OMXMLSecurity
13
Apache Axis2/C deployment

• Client
• axis2.xml Engage
• policy.xml Policy
• Service
• services.xml Engage Policy
• axis2.xml Engage optional

14
Apache Axis2/C deployment
15
An Encrypted Message
16
Rampart/C usages

• WSF/C
• WSF/PHP
• WSF/Ruby

17
Security in WSF/PHP
18
Secured WSF/PHP Client

1. Create an array of security properties
2. Creating a policy object populated with the above
   security property array
3. Creating a WSSecutiyToken object
4. Creating a WSClient object
5. Request

19
PHP Client example
rec_cert ws_get_cert_from_file('../keys/bo
b_cert.cert') pvt_key ws_get_key_from_file
('../keys/alice_key.pem') reqMessage new
WSMessage(reqPayloadString,
array("to"gt"http//localhost/samples/secu
rity/encryption/encrypt_service.php",
"action" gt
"http//php.axis2.org/samples/echoString"))
sec_array array("encrypt"gtTRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"EmbeddedToken") policy new
WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKey
" gt pvt_key,
"receiverCertificate" gt rec_cert))
client new WSClient(array("useWSA" gt TRUE,
"policy" gt
policy,
"securityToken" gt sec_token)) resMessage
client-gtrequest(reqMessage)
20
Secured WSF/PHP Service

1. Create an array of security properties
2. Creating a policy object populated with the above
   security property array
3. Creating a WSSecutiyToken object
4. Creating a WSService object
5. Reply

21
PHP Service example
pub_key ws_get_cert_from_file("/your/path/to/ce
rt.cert") pvt_key ws_get_key_from_file("/your
/path/to/key.pem") operations
array("echoString" gt "echoFunction") sec_array
array("encrypt" gt TRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"IssuerSerial") actions array("http//php.axi
s2.org/samples/echoString" gt "echoString") pol
icy new WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKe
y" gt pvt_key,
"receiverCertificate" gtpub_key)) svr
new WSService(array("actions" gt actions,
"operations" gt operations,
"policy" gt policy,
"securityToken" gt
sec_token)) svr-gtreply()
22
Would Rampart/C be enough?

• NO...!!!
• There are threats that cannot be addressed by
  WS-Security alone
• e.g. XML bombs, SQL injection
• Design your services carefully and use Rampart/C

23
What's ahead?

• WS-Secure Conversation
• WS-Trust
• WS-Federation

24

• Questions?

25
More readings...

• http//wso2.org/library/2814
• http//wso2.org/library/2917
• http//wso2.org/library/2702