1. Web Services SecurityWeb Services Security
By:By:
Muhammad Jawaid ShamshadMuhammad Jawaid Shamshad
MS/PhD (CS)MS/PhD (CS)
052210052210
Advisor:Advisor:
Naeem JanjuaNaeem Janjua
2. AgendaAgenda
► IntroductionIntroduction
► Terms and ConceptsTerms and Concepts
Web ServicesWeb Services
WSDLWSDL
Discovering Web Services (UDDI, ebXML)Discovering Web Services (UDDI, ebXML)
► Need for SecurityNeed for Security
► Goal of SecurityGoal of Security
► Requirements for Web Service SecurityRequirements for Web Service Security
► EASIEASI
EASI RequirementsEASI Requirements
EASI FrameworkEASI Framework
► ConclusionConclusion
► Literature SourcesLiterature Sources
► Q & AQ & A
3. IntroductionIntroduction
►Web services provide fast and flexibleWeb services provide fast and flexible
information sharing between people andinformation sharing between people and
businesses.businesses.
►But along with the benefits, there is aBut along with the benefits, there is a
serious risk:serious risk:
Sensitive and private data can be exposedSensitive and private data can be exposed
►How to secure web services?How to secure web services?
4. Terms and ConceptsTerms and Concepts
►Web ServiceWeb Service
►SOAPSOAP
►WSDLWSDL
►Discovering Web ServiceDiscovering Web Service
UDDIUDDI
ebXMLebXML
5. Web ServiceWeb Service
►DefinitionDefinition
"Web services are software applications that"Web services are software applications that
can be discovered, described, and accessedcan be discovered, described, and accessed
based on XML and standard Web protocolsbased on XML and standard Web protocols
over intranets, extranets, and the Internet“over intranets, extranets, and the Internet“
►Main focus is interoperabilityMain focus is interoperability
►Uses SOAP protocol as syntax of messageUses SOAP protocol as syntax of message
and uses HTTP to transfer that messageand uses HTTP to transfer that message
6. SOAPSOAP
►DefinitionDefinition
““Lightweight protocol for exchange ofLightweight protocol for exchange of
information in a decentralized, distributedinformation in a decentralized, distributed
environment“environment“
►Created by Microsoft, DevelopMentor, IBM,Created by Microsoft, DevelopMentor, IBM,
Lotus, and Userland in 1999Lotus, and Userland in 1999
►XML-based protocolXML-based protocol
►Web services transfers XML messages inWeb services transfers XML messages in
SOAP format encapsulated in SOAPSOAP format encapsulated in SOAP
envelopenvelop
7. SOAPSOAP
►SOAP header contains the meta informationSOAP header contains the meta information
and the body contains the actual messageand the body contains the actual message
in XML syntaxin XML syntax
8. WSDLWSDL
► DefinitionDefinition
““An XML format for describing network services as a setAn XML format for describing network services as a set
of endpoints operating on messages containing eitherof endpoints operating on messages containing either
document-oriented or procedure-oriented information“document-oriented or procedure-oriented information“
► Developed by IBM and Microsoft in 2000Developed by IBM and Microsoft in 2000
► Contains information where the service is located,Contains information where the service is located,
what the service does, and how to invoke thewhat the service does, and how to invoke the
serviceservice
► Application can look at the WSDL and dynamicallyApplication can look at the WSDL and dynamically
construct SOAP messagesconstruct SOAP messages
9. Discovering Web ServicesDiscovering Web Services
►How to search desired web service andHow to search desired web service and
communicate with itcommunicate with it
Universal Description, Discovery, andUniversal Description, Discovery, and
Integration (UDDI)Integration (UDDI)
ebXML RegistriesebXML Registries
10. UDDIUDDI
► Introduced by Ariba, Microsoft, and IBM in 2000Introduced by Ariba, Microsoft, and IBM in 2000
► Not yet a standard but implemented by majorNot yet a standard but implemented by major
vendors like Microsoft and IBMvendors like Microsoft and IBM
► Information availableInformation available
white pageswhite pages of company contact information,of company contact information,
yellow pagesyellow pages that categorize businesses by standardthat categorize businesses by standard
categorization, andcategorization, and
green pagesgreen pages that document the technical informationthat document the technical information
about web services, like WSDLabout web services, like WSDL
11. ebXMLebXML
► A standard created by OASIS in 2001A standard created by OASIS in 2001
► Provide a common way for businesses to quicklyProvide a common way for businesses to quickly
and dynamically perform business transactionsand dynamically perform business transactions
based on common business practicesbased on common business practices
► Information availableInformation available
Business processes and components described in XMLBusiness processes and components described in XML
Capabilities of a trading partnerCapabilities of a trading partner
Trading partner agreements between companiesTrading partner agreements between companies
12. Need for SecurityNeed for Security
► E-commerce sites on the InternetE-commerce sites on the Internet .. These rely onThese rely on
credit card authorization services from an outsidecredit card authorization services from an outside
company.company.
► Cross-selling and customer relationshipCross-selling and customer relationship
managementmanagement.. This relies on customer information beingThis relies on customer information being
shared across many lines of business within an enterprise.shared across many lines of business within an enterprise.
► Supply chain managementSupply chain management .. This requires continuingThis requires continuing
communication among all of the suppliers in acommunication among all of the suppliers in a
manufacturing chain. The transactions describing themanufacturing chain. The transactions describing the
supply chain that are exchanged among the enterprisessupply chain that are exchanged among the enterprises
contain highly proprietary data.contain highly proprietary data.
13. Goal of SecurityGoal of Security
►ConfidentialityConfidentiality
►IntegrityIntegrity
►AccountabilityAccountability
►AvailabilityAvailability
14. Requirements for WS SecurityRequirements for WS Security
►AuthenticationAuthentication
►AuthorizationAuthorization
►CryptographyCryptography
►AccountabilityAccountability
►Security AdministrationSecurity Administration
15. EASIEASI
►End-to-end Enterprise Application SecurityEnd-to-end Enterprise Application Security
IntegrationIntegration
►Provides a common security framework toProvides a common security framework to
integrate many different security solutionsintegrate many different security solutions
►Enables new security technologies in eachEnables new security technologies in each
tier to be added without affecting thetier to be added without affecting the
business applicationsbusiness applications
►Framework for distributed applicationFramework for distributed application
security, not limited to web services.security, not limited to web services.
16. EASI RequirementsEASI Requirements
► Perimeter security technologiesPerimeter security technologies .. Used between theUsed between the
client and the server. Perimeter security enforcesclient and the server. Perimeter security enforces
protection for customer, partner, and employee access toprotection for customer, partner, and employee access to
corporate resources. Perimeter security primarily protectscorporate resources. Perimeter security primarily protects
against external attackers, such as hackers.against external attackers, such as hackers.
► Mid-tier security technologiesMid-tier security technologies .. Used between theUsed between the
mid-tier business components. Mid-tier security focusesmid-tier business components. Mid-tier security focuses
primarily on protecting against insider attacks, but alsoprimarily on protecting against insider attacks, but also
provides another layer of protection against externalprovides another layer of protection against external
attackers.attackers.
► Back-office security technologiesBack-office security technologies .. Address theAddress the
protection of databases and operating- system-specificprotection of databases and operating- system-specific
back-end systems.back-end systems.
17. EASI FrameworkEASI Framework
►Specifies the interactions among theSpecifies the interactions among the
security services and applicationsecurity services and application
components that use those securitycomponents that use those security
servicesservices.
►Possible to add new security technology
solutions without making big changes.
►Supports “plug-ins” for new security
technologies.
18. EASI Framework continued…EASI Framework continued…
►ApplicationsApplications
Provides enterprise security services forProvides enterprise security services for
presentation components, business logicpresentation components, business logic
components, and the back officecomponents, and the back office.
Supports security mechanisms that enforce
security on behalf of security aware and security
unaware applications.
19. EASI Framework continued…EASI Framework continued…
►Security Aware ApplicationSecurity Aware Application
Uses the security APIs to access and validateUses the security APIs to access and validate
the security policies.the security policies.
May directly access security functions thatMay directly access security functions that
enable the applications to perform additionalenable the applications to perform additional
security checkssecurity checks
20. EASI Framework continued…EASI Framework continued…
►Security Unaware ApplicationSecurity Unaware Application
Does not explicitly call security servicesDoes not explicitly call security services
Security is enforced by using interceptors.
Interceptor transparently calls the underlying
security APIs on behalf of the application.
21. EASI Framework continued…EASI Framework continued…
►Application Programming Interface
Standard Security API
►Support for APIs is based on open standards or
industry de facto standards
Custom Security API
►Implemented when needs cannot be met by existing
standard APIs
Vendor Security API
►May be used where open standards have not yet
been defined
23. ConclusionConclusion
► It is recommended that web services be designedIt is recommended that web services be designed
according to the principles of a enterpriseaccording to the principles of a enterprise
application security architecture.application security architecture.
► However, it is sometimes desirable to buildHowever, it is sometimes desirable to build
services capable of referencing each other, whichservices capable of referencing each other, which
may lead to a finer-grained, secure servicesmay lead to a finer-grained, secure services
design.design.
► When building a new service, it is worthWhen building a new service, it is worth
considering carefully the pros and cons of allconsidering carefully the pros and cons of all
design styles, which can result in a betterdesign styles, which can result in a better
integration solution for a targeted domainintegration solution for a targeted domain
Before we can define the means by which Web services manage state, we need to explain a few terms and concepts
“Web services are software applications that can be discovered, described, and accessed based on XML and standard Web protocols over intranets, extranets, and the Internet.”
The definition expresses the main point that web services are software applications like other usual software applications which performs some specific tasks depending on their implementation. The main focus of web services is interoperability. Web services use XML [2] as the syntax of their message and use HTTP [3] to transfer that message. The message is basically a Simple Object Access Protocol (SOAP [4]) envelop which is in XML format.
“a lightweight protocol for exchange of information in a decentralized, distributed environment.”
created by Microsoft, Developmentor, IBM, Lotus, and UserLand.