Title: Secure%20Web%20Services%20with
1Secure Web Services with
Apache Rampart/C
2Why to secure web services?
The world is not nice, as it seems !!!
3Threats
- Common to distributed systems
- Specific to web services
4Common threats
- Message replays
- Identity spoofing
- DOS attacks
- Message alteration/Integrity
- Confidentiality issues
5Threats on web services
- Public disclosure UDDI, WSDL
- SOAP bound to HTTP/SMTP can easily pass through
firewalls - Unpredictable order of service invocation
- Less human scrutiny
- Limitations of SOAP
- Origin verification
- Integrity, confidentiality
6That's why...
7Transport Level Vs Message Level Security
8Why Message Level Security?
- Multiple intermediaries
- Operations to messages
- Observation
- Security even after the safe delivery
- Non-repudiation
- Secure specific parts of the message
?
9Rampart/C Features
- Timestamps
- Username Token Profile
- X509 Token Profile
- SOAP message encryption
- SOAP message signature
- WS-Security Policy Support
- Replay detection
10Overview
11Detailed Architecture
12OMXMLSecurity
13Apache Axis2/C deployment
- Client
- axis2.xml Engage
- policy.xml Policy
- Service
- services.xml Engage Policy
- axis2.xml Engage optional
14Apache Axis2/C deployment
15An Encrypted Message
16Rampart/C usages
17Security in WSF/PHP
18Secured WSF/PHP Client
- Create an array of security properties
- Creating a policy object populated with the above
security property array - Creating a WSSecutiyToken object
- Creating a WSClient object
- Request
19PHP Client example
rec_cert ws_get_cert_from_file('../keys/bo
b_cert.cert') pvt_key ws_get_key_from_file
('../keys/alice_key.pem') reqMessage new
WSMessage(reqPayloadString,
array("to"gt"http//localhost/samples/secu
rity/encryption/encrypt_service.php",
"action" gt
"http//php.axis2.org/samples/echoString"))
sec_array array("encrypt"gtTRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"EmbeddedToken") policy new
WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKey
" gt pvt_key,
"receiverCertificate" gt rec_cert))
client new WSClient(array("useWSA" gt TRUE,
"policy" gt
policy,
"securityToken" gt sec_token)) resMessage
client-gtrequest(reqMessage)
20Secured WSF/PHP Service
- Create an array of security properties
- Creating a policy object populated with the above
security property array - Creating a WSSecutiyToken object
- Creating a WSService object
- Reply
21PHP Service example
pub_key ws_get_cert_from_file("/your/path/to/ce
rt.cert") pvt_key ws_get_key_from_file("/your
/path/to/key.pem") operations
array("echoString" gt "echoFunction") sec_array
array("encrypt" gt TRUE,
"algorithmSuite" gt "Basic256Rsa15",
"securityTokenReference" gt
"IssuerSerial") actions array("http//php.axi
s2.org/samples/echoString" gt "echoString") pol
icy new WSPolicy(array("security"gtsec_array))
sec_token new WSSecurityToken(array("privateKe
y" gt pvt_key,
"receiverCertificate" gtpub_key)) svr
new WSService(array("actions" gt actions,
"operations" gt operations,
"policy" gt policy,
"securityToken" gt
sec_token)) svr-gtreply()
22Would Rampart/C be enough?
- NO...!!!
- There are threats that cannot be addressed by
WS-Security alone - e.g. XML bombs, SQL injection
- Design your services carefully and use Rampart/C
23What's ahead?
- WS-Secure Conversation
- WS-Trust
- WS-Federation
24 25More readings...
- http//wso2.org/library/2814
- http//wso2.org/library/2917
- http//wso2.org/library/2702