SlideShare a Scribd company logo

WS-Security Token References

Download as PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

WS - Security

EducationTechnologyNews & Politics
1 of 58
WS - Security Prabath Siriwardena Director, Security Architecture
WS-Security • WS-Security – Authentication – Integrity and non-repudiation – Confidentiality • Initial effort of MSFT, IBM, Verisign, etc. • Standardized at : Organization for the Advancement of Structured Information Standards (OASIS)
WS-Security • Based on XML Encryption and XML Signature • Basic framework for message level security  Encryption  Signature  Security Tokens
Security Tokens • Security Tokens are pieces of information used for authentication and authorization. - UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
WS-Security • Provisions for “profiles” to support different crypto technologies  SAML Tokens  X. 509 Tokens  UsernameToken
Message Level Security • Authentication – UsernameToken – Use plain text password with a secure transport • Integrity and Non-repudiation – A detached XML-Signature used and one or more parts are signed • Confidentiality – Encrypt the SOAP Body or any other part of the message
WS-Security • For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted. • XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
<BinarySecurityToken /> • Can hold binary tokens – e.g. X509 tokens, Kerberos tokens. • Because these are binary tokens – should specify the EncodingType to represent them in XML. • ValueType indicates what the security token is. <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
QUESTION 1 Discuss the applicability of following child elements under <KeyInfo> with respect to the Example -1. <KeyName /> <KeyValue /><RetrievalMethod /> <X509Data />
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:EncryptedKey> <ds:KeyInfo> <wsse:SecurityTokenReference> <ds:X509IssuerSerial> <ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber> </ds:X509SerialNumber> </ds:X509IssuerSerial> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
Token References • Defines mechanisms for referencing security tokens. • Introduces the <SecurityTokenReferenece> as a standard way to refer to a security token regardless of their format.  Direct References  Key Identifiers  Key Names  Embedded References
Direct References • This allows references to include tokens using URI fragments and external tokens using full URIs
Direct Reference Example <S11:Envelope > <S11:Header> <wsse:Security> <wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody"> <ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
Key Identifiers • This allows tokens to be referenced using an opaque value that represents the token. • A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
Key Identifiers <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" > MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference>
Key Identifiers • Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
Key Names • This allows tokens to be referenced using a string that matches an identity assertion within the security token. • In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
Key Names Example <!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --> <wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName> </wsse:SecurityTokenReference> KeyName references are prohibited by the WS-Security Basic Profile.
Embedded • This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere). • Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
Embedded Token Example <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference>
1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which message-security-1.0#Base64Binary"> specifies a wsu:id lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded <wsse:SecurityTokenReference> element --> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
2 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
3 Reading SOAP is fun  <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference> </wsse:Security>
4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' <!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> SomeCert appears after it is </wsse:SecurityTokenReference> referenced from within the xenc:EncryptedKey element --> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
5 Reading SOAP is fun  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers 1.0#Base64Binary"> to the lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR --> </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> <!-- This example is </wsu:Timestamp> incorrect because Security header MUST NOT contain more than one TIMESTAMP--> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
8 Reading SOAP is fun  <soap: Header> <wsse:Security > </wsse:Security> <wsse:Security > </wsse:Security> </soap: Header>
8 Reading SOAP is fun  <soap: Header> <wsse:Security > <!– This</wsse:Security> Header MUST not have more than one Security header where the is incorrect. SOAP actor/role attribute omitted--> <wsse:Security > </wsse:Security> </soap: Header>
9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > </wsse:Security> <wsse:Security actor=“foo” > </wsse:Security> </soap: Header>
9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > <!– This is</wsse:Security> incorrect. SOAP Header MUST not have more than one Security header with the same actor/role <wsse:Security actor=“foo” > attribute omitted--> </wsse:Security> </soap: Header>
10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature>
10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> <!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped </ds:SignedInfo> allowed.--> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature> Signatures are not
11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> A signature reference to an element that does not have an ID attribute MUST contain a </ds:Transform> TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2" <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
12 Reading SOAP is fun  <wsse:Security > <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
13 Reading SOAP is fun  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only child element.
14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> A Signature MUST NOT contain a ds:Manifest descendant element. </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>
15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in This is incorrect. <xenc:EncryptedKey> header referenced by the associated ReferenceList. <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> the same Security
16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <!-- This example is incorrect because the xenc:EncryptedKey element is missing an <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> xenc:ReferenceList child element --> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
<wsse11:SignatureConfirmation /> Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In this mechanism, the web service adds a <SignatureConfirmation> element to the security header element, and the web client can check that <SignatureConfirmation> element <wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
<wsse11:EncryptedHeader /> WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP header block including the top-level element and its attributes be encrypted, the original header block is replaced with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child <EncryptedData /> element that is the result of encrypting the header block.
STR-Transform <wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1"> <ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
STR-Transform This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element itself.
lean . enterprise . middleware

Recommended

18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Hash Function
Hash Function Hash Function
Hash Function ssuserdfb2da
 
Specification-of-tokens
Specification-of-tokensSpecification-of-tokens
Specification-of-tokensDattatray Gandhmal
 
Cryptography
CryptographyCryptography
CryptographyShivanand Arur
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 

Recommended

18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Hash Function
Hash Function Hash Function
Hash Function ssuserdfb2da
 
Specification-of-tokens
Specification-of-tokensSpecification-of-tokens
Specification-of-tokensDattatray Gandhmal
 
Cryptography
CryptographyCryptography
CryptographyShivanand Arur
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesMdFazleRabbi18
 
Loaders
LoadersLoaders
LoadersMohd Arif
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Leaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingLeaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingVimal Dewangan
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash AlgorithmVishakha Agarwal
 
Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security MechanismsMohammed Sajjad Ali
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
Rc4
Rc4Rc4
Rc4Amjad Rehman
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsJames Wong
 
Message digest 5
Message digest 5Message digest 5
Message digest 5Tirthika Bandi
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Transactions and Concurrency Control
Transactions and Concurrency ControlTransactions and Concurrency Control
Transactions and Concurrency ControlDilum Bandara
 
Chapter 6
Chapter 6Chapter 6
Chapter 6pavan penugonda
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Cloud service management
Cloud service managementCloud service management
Cloud service managementgaurav jain
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 

More Related Content

What's hot

Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesMdFazleRabbi18
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Leaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingLeaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingVimal Dewangan
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsJames Wong
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Transactions and Concurrency Control
Transactions and Concurrency ControlTransactions and Concurrency Control
Transactions and Concurrency ControlDilum Bandara
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Cloud service management
Cloud service managementCloud service management
Cloud service managementgaurav jain
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 

What's hot (20)

Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniques
 
Loaders
LoadersLoaders
Loaders
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Leaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingLeaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shaping
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security Mechanisms
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
Rc4
Rc4Rc4
Rc4
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Message digest 5
Message digest 5Message digest 5
Message digest 5
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Transactions and Concurrency Control
Transactions and Concurrency ControlTransactions and Concurrency Control
Transactions and Concurrency Control
 
Chapter 6
Chapter 6Chapter 6
Chapter 6
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Cloud service management
Cloud service managementCloud service management
Cloud service management
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 

Viewers also liked

Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overviewRaveendra Bhat
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Martin Necasky
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTPradeep Kumar
 

Viewers also liked (19)

Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicy
 
XML Signature
XML SignatureXML Signature
XML Signature
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Web Services Security - Presentation
Web Services Security - PresentationWeb Services Security - Presentation
Web Services Security - Presentation
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overview
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
 
Web Services
Web ServicesWeb Services
Web Services
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web service introduction
Web service introductionWeb service introduction
Web service introduction
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and REST
 

Similar to WS-Security Token References

Secured SOA
Secured SOASecured SOA
Secured SOAWSO2
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA SecurityWSO2
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and OperationsNisheed KM
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based EncryptionDavid Dye
 

Similar to WS-Security Token References (20)

Secured SOA
Secured SOASecured SOA
Secured SOA
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA Security
 
Secured SOA
Secured SOASecured SOA
Secured SOA
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Ws security with mule
Ws security with muleWs security with mule
Ws security with mule
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based Encryption
 

More from Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

More from Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 

WS-Security Token References

  • 1. WS - Security Prabath Siriwardena Director, Security Architecture
  • 2. WS-Security • WS-Security – Authentication – Integrity and non-repudiation – Confidentiality • Initial effort of MSFT, IBM, Verisign, etc. • Standardized at : Organization for the Advancement of Structured Information Standards (OASIS)
  • 3. WS-Security • Based on XML Encryption and XML Signature • Basic framework for message level security  Encryption  Signature  Security Tokens
  • 4. Security Tokens • Security Tokens are pieces of information used for authentication and authorization. - UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
  • 5. WS-Security • Provisions for “profiles” to support different crypto technologies  SAML Tokens  X. 509 Tokens  UsernameToken
  • 6. Message Level Security • Authentication – UsernameToken – Use plain text password with a secure transport • Integrity and Non-repudiation – A detached XML-Signature used and one or more parts are signed • Confidentiality – Encrypt the SOAP Body or any other part of the message
  • 7. WS-Security • For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted. • XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
  • 8. WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 9. <BinarySecurityToken /> • Can hold binary tokens – e.g. X509 tokens, Kerberos tokens. • Because these are binary tokens – should specify the EncodingType to represent them in XML. • ValueType indicates what the security token is. <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
  • 10. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 11. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 12. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 13. QUESTION 1 Discuss the applicability of following child elements under <KeyInfo> with respect to the Example -1. <KeyName /> <KeyValue /><RetrievalMethod /> <X509Data />
  • 14. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 15. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 16. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:EncryptedKey> <ds:KeyInfo> <wsse:SecurityTokenReference> <ds:X509IssuerSerial> <ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber> </ds:X509SerialNumber> </ds:X509IssuerSerial> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 17. Token References • Defines mechanisms for referencing security tokens. • Introduces the <SecurityTokenReferenece> as a standard way to refer to a security token regardless of their format.  Direct References  Key Identifiers  Key Names  Embedded References
  • 18. Direct References • This allows references to include tokens using URI fragments and external tokens using full URIs
  • 19. Direct Reference Example <S11:Envelope > <S11:Header> <wsse:Security> <wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody"> <ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 20. Key Identifiers • This allows tokens to be referenced using an opaque value that represents the token. • A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
  • 22. Key Identifiers • Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
  • 23. Key Names • This allows tokens to be referenced using a string that matches an identity assertion within the security token. • In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
  • 24. Key Names Example <!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --> <wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName> </wsse:SecurityTokenReference> KeyName references are prohibited by the WS-Security Basic Profile.
  • 25. Embedded • This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere). • Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
  • 26. Embedded Token Example <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference>
  • 27. 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
  • 28. 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which message-security-1.0#Base64Binary"> specifies a wsu:id lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded <wsse:SecurityTokenReference> element --> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
  • 29. 2 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
  • 30. 3 Reading SOAP is fun  <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference> </wsse:Security>
  • 31. 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
  • 32. 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' <!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> SomeCert appears after it is </wsse:SecurityTokenReference> referenced from within the xenc:EncryptedKey element --> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
  • 33. 5 Reading SOAP is fun  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
  • 34. 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
  • 35. 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers 1.0#Base64Binary"> to the lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR --> </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
  • 36. 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
  • 37. 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> <!-- This example is </wsu:Timestamp> incorrect because Security header MUST NOT contain more than one TIMESTAMP--> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
  • 38. 8 Reading SOAP is fun  <soap: Header> <wsse:Security > </wsse:Security> <wsse:Security > </wsse:Security> </soap: Header>
  • 39. 8 Reading SOAP is fun  <soap: Header> <wsse:Security > <!– This</wsse:Security> Header MUST not have more than one Security header where the is incorrect. SOAP actor/role attribute omitted--> <wsse:Security > </wsse:Security> </soap: Header>
  • 40. 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > </wsse:Security> <wsse:Security actor=“foo” > </wsse:Security> </soap: Header>
  • 41. 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > <!– This is</wsse:Security> incorrect. SOAP Header MUST not have more than one Security header with the same actor/role <wsse:Security actor=“foo” > attribute omitted--> </wsse:Security> </soap: Header>
  • 42. 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature>
  • 43. 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> <!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped </ds:SignedInfo> allowed.--> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature> Signatures are not
  • 44. 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 45. 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> A signature reference to an element that does not have an ID attribute MUST contain a </ds:Transform> TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2" <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 46. 12 Reading SOAP is fun  <wsse:Security > <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 47. 13 Reading SOAP is fun  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only child element.
  • 48. 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
  • 49. 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> A Signature MUST NOT contain a ds:Manifest descendant element. </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
  • 50. 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>
  • 51. 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in This is incorrect. <xenc:EncryptedKey> header referenced by the associated ReferenceList. <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> the same Security
  • 52. 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
  • 53. 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <!-- This example is incorrect because the xenc:EncryptedKey element is missing an <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> xenc:ReferenceList child element --> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
  • 54. <wsse11:SignatureConfirmation /> Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In this mechanism, the web service adds a <SignatureConfirmation> element to the security header element, and the web client can check that <SignatureConfirmation> element <wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
  • 55. <wsse11:EncryptedHeader /> WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP header block including the top-level element and its attributes be encrypted, the original header block is replaced with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child <EncryptedData /> element that is the result of encrypting the header block.
  • 56. STR-Transform <wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1"> <ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
  • 57. STR-Transform This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element itself.
  • 58. lean . enterprise . middleware