SlideShare a Scribd company logo

Prabath Siriwardena's presentation on authentication and authorization patterns for web services

Prabath Siriwardena
Prabath Siriwardena

@ApacheCon 2011

TechnologyNews & Politics
1 of 37
Download to read offline
Prabath  Siriwardena  –  Software  Architect,  WSO2  
Plan for the session Patterns Standards Implementations
Recurring Problems
Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
1995 1997
1999
2004
2005 SAML2 Web SSO
2008/May
Authentication Patterns Direct Brokered Authentication Authentication
Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
2006/April
2006/June
2008/2009
2008/2009
2008/2009
2007/Dec
2007/Dec
Authorization Patterns Direct Delegated Authorization Authorization
Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
2005/Feb
Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
Message  Level   SOAP Security UsernameToken Profile
SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
Message  Level   SOAP Security WS-Trust
Message  Level   SOAP Security Sender Vouches – Subject Confirmation
Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786
Prabath Siriwardena's presentation on authentication and authorization patterns for web services

Recommended

WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-PolicyHayati Guvence
 
XML Signature
XML SignatureXML Signature
XML SignaturePrabath Siriwardena
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Eric Shupps
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 

Recommended

WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-PolicyHayati Guvence
 
XML Signature
XML SignatureXML Signature
XML SignaturePrabath Siriwardena
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Eric Shupps
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 
Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security TestingJaipal Naidu
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
Rest
RestRest
Restmalikadnan78
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1Umar Ali
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOAWSO2
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
SOA Security
SOA Security SOA Security
SOA Security Pauli Kauppila
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009WSO2
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesPrabath Siriwardena
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...Spiffy
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Private Cloud
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Rahul Sule
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
Soa unit iv
Soa unit ivSoa unit iv
Soa unit ivsmitha273566
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Codecamp Romania
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 

More Related Content

Similar to Prabath Siriwardena's presentation on authentication and authorization patterns for web services

Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security TestingJaipal Naidu
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1Umar Ali
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOAWSO2
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009WSO2
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesPrabath Siriwardena
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...Spiffy
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Private Cloud
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Codecamp Romania
 

Similar to Prabath Siriwardena's presentation on authentication and authorization patterns for web services (20)

Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security Testing
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Rest
RestRest
Rest
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOA
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
 
SOA Security
SOA Security SOA Security
SOA Security
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web Services
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
 
Web security
Web securityWeb security
Web security
 
Soa unit iv
Soa unit ivSoa unit iv
Soa unit iv
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
 

More from Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

More from Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Prabath Siriwardena's presentation on authentication and authorization patterns for web services

  • 1. Prabath  Siriwardena  –  Software  Architect,  WSO2  
  • 2. Plan for the session Patterns Standards Implementations
  • 4. Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
  • 5. 1995 1997
  • 6.
  • 9. 2005 SAML2 Web SSO
  • 11. Authentication Patterns Direct Brokered Authentication Authentication
  • 12. Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
  • 13. Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
  • 14. Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
  • 15. Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
  • 16.
  • 24. Authorization Patterns Direct Delegated Authorization Authorization
  • 25. Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
  • 27. Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
  • 28. Message  Level   SOAP Security UsernameToken Profile
  • 29. SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
  • 30. Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
  • 31. SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
  • 32. Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
  • 33. Message  Level   SOAP Security WS-Trust
  • 34. Message  Level   SOAP Security Sender Vouches – Subject Confirmation
  • 35. Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
  • 36. SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786