SlideShare a Scribd company logo

Web Service Security

Luqman Shareef
Luqman Shareef
1 of 18
Web service security
XML digital signature ( IETF and W3C) XML Encryption ( W3C) SAML (Secure Assertion Markup Language) ( OASIS) WS-Security (Web Services Security) (OASIS) WS-SecureConversation WS-Federation WS-Policy WS-Trust WS-Privacy XACML (Extensible Access Control Markup Language) (OASIS) Web service security standards
When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document <EncryptedDataId Type MimeType Encoding> <EncryptionMethod/> <ds:KeyInfo> <EncryptedKey> <AgreementMethod> <ds:KeyName> <ds:RetrievalMethod> <ds:*> </ds:KeyInfo> <CipherData> <CipherValue> <CipherReferenceURI> </CipherData> <EncryptionProperties> </EncryptedData> XML Encryption
<?xml version='1.0'?> <PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> XML Encryption example <?xml version='1.0'?> <PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedDataxmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>
Data integrity, authenticity Binds the sender’s identity (or “signing entity”) to an XML document Signature verification can be done using asymmetric or symmetric keys Ensures non-repudiation of the signing entity Proves that messages have not been altered since they were signed XML Signature
XML digital signatures are represented by the Signature element <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI > <Transforms> <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> <KeyInfo> <Object ID> </Signature> Signature Element
Signature Example <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> </Reference> </SignedInfo> <SignatureValue>...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>
Developed by OASIS An XML framework for exchanging authentication and authorization information SAML assertions: (Assertion is declaration of a fact) authentication attribute Authorization SAML is for Single sign-on (SSO) Distributed transaction Authorization service SAML
Used for SSO <saml:Assertion …> <saml:AuthenticationStatement AuthenticationMethod=“password” AuthenticationInstant=“2010-02-03”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“myCompany.com” Name=“ABCD” /> <saml:ConfirmationMethod> http://… </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> An issuing authority asserts that subject S was authenticated by means M at time T Authentication statement
Used for distributed transactions <saml:Assertion …> <saml:AttributeStatement> <saml:Subject>..Sang..</saml:Subject> <saml:Attribute AttributeName=“PaymentStatus” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“CreditLimit” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue>500.00</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> An issuing authority asserts that subject S is associated with Attributes A,B,… with values ‘a’, ‘b’,… Attribute statement
Used for authorization service <saml:Assertion …> <saml:AuthorizationStatement Decision=“Allow” Resource=http://mycompany.com/empdetails> <saml:Subject>…</saml:Subject> <saml:Actions ActionNamespace=“http://…”> <saml:Action>Read</saml:Action> </saml:Actions> </saml:AuthorizationStatement> </saml:Assertion> An issuing authority decides Whether to grant the request by subject S for access type A to resource R given evidence E Authorization statement
Extension to SOAP to apply security to Web services Defines how to attach XML Signature and XML Encryption headers to SOAP messages WS Security specification allows X.509 certificates Kerberos tickets UserID/Password credentials SAML-Assertion Custom defined token WS Security
WS Security with SAML example <SOAP-ENV:Envelope> <SOAP-ENV:Header> <wsse:Security> <saml:Assertion> - - - </saml:Assertion> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> - - - </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Framework for Issuing, renewing, and validating security tokens Brokering trust relationships within different trust domains WS Trust
1.WSIT client runtime requests security meta-data from the service provider (transparent to the application) 2. The service indicates that the client needs a security token from a particular STS 3. The client requests security meta-data from the STS 4. The STS responds with type of security token to be used for further communication 5. The client requests security token from STS 6. The client receives security token issued by STS 7. The client invokes the service using the issued token 8. The service provider verifies token and performs the service WS-Trust: Security Token Service
WS-SecureConversation defines the creation and sharing of security contexts between communicating parties The <SecurityContextToken> (SCT) element supports the requirements of security contexts An SCT involves a shared secret used to sign and/or encrypt messages Derived keys are used for signing and encrypting messages associated with the security context WS-SecureConversation defines how derived keys are computed and passed WS-SecureConversation
It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. Policies are defined with a collection of Rules XACML Access control rule Allow access to resource with attribute WebService if subject is Employee and action is read or write. Administration control rule Allow delegation of access control rule #1 to subjects with attribute Consultant. Conditions: delegation must expire within 6 months, resource must not have attribute StrictlyInternal
One standard access control policy language can replace dozens of application-specific languages Administrators save time and money because they don't need to rewrite their policies in many different languages XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. XACML benefits

Recommended

e-Eommerce - Framework
e-Eommerce - Frameworke-Eommerce - Framework
e-Eommerce - FrameworkSnehasish Mandal
 
B2 B Commerce
B2 B CommerceB2 B Commerce
B2 B CommerceRitesh Verma
 
What Is Ecommerce B2C Model ?
What Is Ecommerce B2C Model ?What Is Ecommerce B2C Model ?
What Is Ecommerce B2C Model ?archana cks
 
3_EERD.pdf
3_EERD.pdf3_EERD.pdf
3_EERD.pdfLPhct2
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Merchant Presentation
Merchant PresentationMerchant Presentation
Merchant PresentationVamsi bhaskar Sadasivuni
 
Authorization
AuthorizationAuthorization
AuthorizationJasleen Khalsa
 
Encryption ppt
Encryption pptEncryption ppt
Encryption pptAnil Neupane
 

Recommended

e-Eommerce - Framework
e-Eommerce - Frameworke-Eommerce - Framework
e-Eommerce - FrameworkSnehasish Mandal
 
B2 B Commerce
B2 B CommerceB2 B Commerce
B2 B CommerceRitesh Verma
 
What Is Ecommerce B2C Model ?
What Is Ecommerce B2C Model ?What Is Ecommerce B2C Model ?
What Is Ecommerce B2C Model ?archana cks
 
3_EERD.pdf
3_EERD.pdf3_EERD.pdf
3_EERD.pdfLPhct2
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Merchant Presentation
Merchant PresentationMerchant Presentation
Merchant PresentationVamsi bhaskar Sadasivuni
 
Authorization
AuthorizationAuthorization
AuthorizationJasleen Khalsa
 
Encryption ppt
Encryption pptEncryption ppt
Encryption pptAnil Neupane
 
Chapter 01
Chapter 01Chapter 01
Chapter 01nathanurag
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Firewall
FirewallFirewall
FirewallApo
 
Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptxSiphamandla9
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network SecuritySachithra Gayan
 
Web technology and commerce unit 3
Web technology and commerce unit 3Web technology and commerce unit 3
Web technology and commerce unit 3arun0501
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
Anatomy of Ecommerce framework
Anatomy of Ecommerce frameworkAnatomy of Ecommerce framework
Anatomy of Ecommerce frameworkmohanapragashkec
 
Document Digitization
Document DigitizationDocument Digitization
Document DigitizationSom Imaging Informatics Pvt. Ltd
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its typesMohammed Maajidh
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Data models
Data modelsData models
Data modelsThakshayini Chandramohan
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesReachLocal Services India
 
Security services
Security servicesSecurity services
Security servicesGayan Geethanjana
 
Ecommerce
EcommerceEcommerce
EcommerceRitesh Verma
 
HTTPS
HTTPSHTTPS
HTTPSmaroti164
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 

More Related Content

What's hot

Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Firewall
FirewallFirewall
FirewallApo
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network SecuritySachithra Gayan
 
Web technology and commerce unit 3
Web technology and commerce unit 3Web technology and commerce unit 3
Web technology and commerce unit 3arun0501
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
Anatomy of Ecommerce framework
Anatomy of Ecommerce frameworkAnatomy of Ecommerce framework
Anatomy of Ecommerce frameworkmohanapragashkec
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 

What's hot (20)

Chapter 01
Chapter 01Chapter 01
Chapter 01
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
 
Firewall
FirewallFirewall
Firewall
 
Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptx
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
 
Web technology and commerce unit 3
Web technology and commerce unit 3Web technology and commerce unit 3
Web technology and commerce unit 3
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
Anatomy of Ecommerce framework
Anatomy of Ecommerce frameworkAnatomy of Ecommerce framework
Anatomy of Ecommerce framework
 
Document Digitization
Document DigitizationDocument Digitization
Document Digitization
 
Ssl https
Ssl httpsSsl https
Ssl https
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Data models
Data modelsData models
Data models
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Security services
Security servicesSecurity services
Security services
 
Ecommerce
EcommerceEcommerce
Ecommerce
 
HTTPS
HTTPSHTTPS
HTTPS
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 

Viewers also liked

XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standardsguest68465b
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTPradeep Kumar
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-PolicyHayati Guvence
 
Reliable Messaging /Guaranteed delivery
Reliable Messaging /Guaranteed deliveryReliable Messaging /Guaranteed delivery
Reliable Messaging /Guaranteed deliveryWSO2
 
Java/J2EE & SOA
Java/J2EE & SOA Java/J2EE & SOA
Java/J2EE & SOA Edureka!
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoamAcademy
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 

Viewers also liked (20)

WS - Security
WS - SecurityWS - Security
WS - Security
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicy
 
Web Services Security - Presentation
Web Services Security - PresentationWeb Services Security - Presentation
Web Services Security - Presentation
 
XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standards
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and REST
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-Policy
 
Reliable Messaging /Guaranteed delivery
Reliable Messaging /Guaranteed deliveryReliable Messaging /Guaranteed delivery
Reliable Messaging /Guaranteed delivery
 
Java/J2EE & SOA
Java/J2EE & SOA Java/J2EE & SOA
Java/J2EE & SOA
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web services
 
XML Signature
XML SignatureXML Signature
XML Signature
 
Stateful Web Services - Short Report
Stateful Web Services - Short ReportStateful Web Services - Short Report
Stateful Web Services - Short Report
 
Stateful Web Services - Presentation
Stateful Web Services - PresentationStateful Web Services - Presentation
Stateful Web Services - Presentation
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 

Similar to Web Service Security

Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
10. XML in DBMS
10. XML in DBMS10. XML in DBMS
10. XML in DBMSkoolkampus
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
Ellerslie User Group - ReST Presentation
Ellerslie User Group - ReST PresentationEllerslie User Group - ReST Presentation
Ellerslie User Group - ReST PresentationAlex Henderson
 
Web Services Part 1
Web Services Part 1Web Services Part 1
Web Services Part 1patinijava
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing frameworkIndicThreads
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
xml-150211140504-conversion-gate01 (1).pdf
xml-150211140504-conversion-gate01 (1).pdfxml-150211140504-conversion-gate01 (1).pdf
xml-150211140504-conversion-gate01 (1).pdfssusere05ec21
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Data Applied: Developer Quicklook
Data Applied: Developer QuicklookData Applied: Developer Quicklook
Data Applied: Developer QuicklookDataminingTools Inc
 
Extending Schemas
Extending SchemasExtending Schemas
Extending SchemasLiquidHub
 

Similar to Web Service Security (20)

Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
10. XML in DBMS
10. XML in DBMS10. XML in DBMS
10. XML in DBMS
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Ellerslie User Group - ReST Presentation
Ellerslie User Group - ReST PresentationEllerslie User Group - ReST Presentation
Ellerslie User Group - ReST Presentation
 
Web Services Part 1
Web Services Part 1Web Services Part 1
Web Services Part 1
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing framework
 
Xml
XmlXml
Xml
 
Web Services
Web ServicesWeb Services
Web Services
 
Web Services
Web ServicesWeb Services
Web Services
 
Doc
DocDoc
Doc
 
Doc
DocDoc
Doc
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
What is xml
What is xmlWhat is xml
What is xml
 
xml-150211140504-conversion-gate01 (1).pdf
xml-150211140504-conversion-gate01 (1).pdfxml-150211140504-conversion-gate01 (1).pdf
xml-150211140504-conversion-gate01 (1).pdf
 
Application Security
Application SecurityApplication Security
Application Security
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Data Applied: Developer Quicklook
Data Applied: Developer QuicklookData Applied: Developer Quicklook
Data Applied: Developer Quicklook
 
Extending Schemas
Extending SchemasExtending Schemas
Extending Schemas
 

More from Luqman Shareef

Containers virtaulization and docker
Containers virtaulization and dockerContainers virtaulization and docker
Containers virtaulization and dockerLuqman Shareef
 
Cloud computing by Luqman
Cloud computing by LuqmanCloud computing by Luqman
Cloud computing by LuqmanLuqman Shareef
 
Service Oriented Architecture Luqman
Service Oriented Architecture LuqmanService Oriented Architecture Luqman
Service Oriented Architecture LuqmanLuqman Shareef
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented ArchitectureLuqman Shareef
 

More from Luqman Shareef (10)

Containers virtaulization and docker
Containers virtaulization and dockerContainers virtaulization and docker
Containers virtaulization and docker
 
Restful webservices
Restful webservicesRestful webservices
Restful webservices
 
Scrum luqman
Scrum luqmanScrum luqman
Scrum luqman
 
Cloud computing by Luqman
Cloud computing by LuqmanCloud computing by Luqman
Cloud computing by Luqman
 
Tech Days 2010
Tech Days 2010Tech Days 2010
Tech Days 2010
 
Ajax
AjaxAjax
Ajax
 
Service Oriented Architecture Luqman
Service Oriented Architecture LuqmanService Oriented Architecture Luqman
Service Oriented Architecture Luqman
 
Xml by Luqman
Xml by LuqmanXml by Luqman
Xml by Luqman
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
 
J2SE 5
J2SE 5J2SE 5
J2SE 5
 

Web Service Security

  • 2. XML digital signature ( IETF and W3C) XML Encryption ( W3C) SAML (Secure Assertion Markup Language) ( OASIS) WS-Security (Web Services Security) (OASIS) WS-SecureConversation WS-Federation WS-Policy WS-Trust WS-Privacy XACML (Extensible Access Control Markup Language) (OASIS) Web service security standards
  • 3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document <EncryptedDataId Type MimeType Encoding> <EncryptionMethod/> <ds:KeyInfo> <EncryptedKey> <AgreementMethod> <ds:KeyName> <ds:RetrievalMethod> <ds:*> </ds:KeyInfo> <CipherData> <CipherValue> <CipherReferenceURI> </CipherData> <EncryptionProperties> </EncryptedData> XML Encryption
  • 4. <?xml version='1.0'?> <PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> XML Encryption example <?xml version='1.0'?> <PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedDataxmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>
  • 5. Data integrity, authenticity Binds the sender’s identity (or “signing entity”) to an XML document Signature verification can be done using asymmetric or symmetric keys Ensures non-repudiation of the signing entity Proves that messages have not been altered since they were signed XML Signature
  • 6. XML digital signatures are represented by the Signature element <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI > <Transforms> <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> <KeyInfo> <Object ID> </Signature> Signature Element
  • 7. Signature Example <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> </Reference> </SignedInfo> <SignatureValue>...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>
  • 8. Developed by OASIS An XML framework for exchanging authentication and authorization information SAML assertions: (Assertion is declaration of a fact) authentication attribute Authorization SAML is for Single sign-on (SSO) Distributed transaction Authorization service SAML
  • 9. Used for SSO <saml:Assertion …> <saml:AuthenticationStatement AuthenticationMethod=“password” AuthenticationInstant=“2010-02-03”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“myCompany.com” Name=“ABCD” /> <saml:ConfirmationMethod> http://… </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> An issuing authority asserts that subject S was authenticated by means M at time T Authentication statement
  • 10. Used for distributed transactions <saml:Assertion …> <saml:AttributeStatement> <saml:Subject>..Sang..</saml:Subject> <saml:Attribute AttributeName=“PaymentStatus” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“CreditLimit” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue>500.00</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> An issuing authority asserts that subject S is associated with Attributes A,B,… with values ‘a’, ‘b’,… Attribute statement
  • 11. Used for authorization service <saml:Assertion …> <saml:AuthorizationStatement Decision=“Allow” Resource=http://mycompany.com/empdetails> <saml:Subject>…</saml:Subject> <saml:Actions ActionNamespace=“http://…”> <saml:Action>Read</saml:Action> </saml:Actions> </saml:AuthorizationStatement> </saml:Assertion> An issuing authority decides Whether to grant the request by subject S for access type A to resource R given evidence E Authorization statement
  • 12. Extension to SOAP to apply security to Web services Defines how to attach XML Signature and XML Encryption headers to SOAP messages WS Security specification allows X.509 certificates Kerberos tickets UserID/Password credentials SAML-Assertion Custom defined token WS Security
  • 13. WS Security with SAML example <SOAP-ENV:Envelope> <SOAP-ENV:Header> <wsse:Security> <saml:Assertion> - - - </saml:Assertion> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> - - - </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 14. Framework for Issuing, renewing, and validating security tokens Brokering trust relationships within different trust domains WS Trust
  • 15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application) 2. The service indicates that the client needs a security token from a particular STS 3. The client requests security meta-data from the STS 4. The STS responds with type of security token to be used for further communication 5. The client requests security token from STS 6. The client receives security token issued by STS 7. The client invokes the service using the issued token 8. The service provider verifies token and performs the service WS-Trust: Security Token Service
  • 16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties The <SecurityContextToken> (SCT) element supports the requirements of security contexts An SCT involves a shared secret used to sign and/or encrypt messages Derived keys are used for signing and encrypting messages associated with the security context WS-SecureConversation defines how derived keys are computed and passed WS-SecureConversation
  • 17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. Policies are defined with a collection of Rules XACML Access control rule Allow access to resource with attribute WebService if subject is Employee and action is read or write. Administration control rule Allow delegation of access control rule #1 to subjects with attribute Consultant. Conditions: delegation must expire within 6 months, resource must not have attribute StrictlyInternal
  • 18. One standard access control policy language can replace dozens of application-specific languages Administrators save time and money because they don't need to rewrite their policies in many different languages XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. XACML benefits