Upload
rosalyn-cannon
View
226
Download
0
Embed Size (px)
Citation preview
WEB SERVICES SECURITY
Prashanth Kumar Muthoju
Agenda
• Web Services
• Web Services Security
• Examples
• WSE 2.0
• DEMO
• Q & A
Web Service ?1. A Web Service is a software component that
is described via WSDL and is capable of being accessed via standard network protocols such as but not limited to SOAP over HTTP.
2. A Web service is an application that:− Runs on a Web server− Exposes Web methods to interested callers− Listens for HTTP requests representing commands to
invoke Web methods− Executes Web methods and returns the results
-for more info…www.oasis-open.org/committees/wsia/glossary/wsia-draft-glossary-03.htm What web services can do for you (video presentation):http://www.microsoft.com/net/basics/webservicesoverview.asp
Web Services In a Nutshell
Transport (TCP/IP, UDP,…)
Transfer (HTTP, SMTP, …. )
XML + Namespaces+ Information Set
SOAP
WSRouting
WSReferral
WSSecurity
XML Schema RDF?, DAML?...
Subscribe
Search
Register
WSCI
BPEL4WS
WSDL
WS messaging WS descriptions WS discovery
Envelope (MIME, DIME, BEEP, …. )
Canonical XMLXML EncryptionXML Signature
WS Coordination
WS Transaction
UDDI
WS-Inspection
SAML WSLicense
Web Services• Interoperability
• Ease of consumption
• Use of Standard protocols
As usage grows, need for Security increases
Web Services Security
• Authentication
• Protocol level Security
• Message level Security
Authentication – types:
• Direct
• Brokered
Message Protection:
• Data Confidentiality:−Encryption−Keys
Preventing a hacker from manipulating messages in transit
Data Origin Authentication:−Data Integrity – data tampered?
−Authenticity – is it from original sender?
•
XML messages XML messages convey security convey security
informationinformation
CredentialsCredentials
Digital signaturesDigital signatures
Messages can be Messages can be encryptedencrypted
ClientClient
TransportTransport
ServiceService
TransportTransportAny TransportAny Transport
XMLXML
XMLXML XMLXML
XMLXMLSecurity is Security is
independent independent from transport protocolfrom transport protocol
Protocol Level Security:
• Security implemented in protocol itself−SSL
Web Services Enhancements (WSE 2.0):
• It is a supported add-on for Microsoft VS.NET and .NET framework
• Provides advanced Web Service capabillities
• Download at http://www.microsoft.com/downloads/details.aspx?familyid=1ba1f631-c3e7-420a-bc1e-ef18bab66122&displaylang=en
• For easy development of secure web services according to specifications by Microsoft http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx
WS-* Specifications:
Security Specification:• WS-Security: SOAP Message Security
• WS-Security: UsernameToken Profile
• WS-Security: X.509 Certificate Token Profile
• WS-SecureConversation
• WS-SecurityPolicy
• WS-Trust
• WS-Federation
• WS-Federation Active Requestor Profile
• WS-Federation Passive Requestor Profile
• WS-Security: Kerberos Binding
• Web Single Sign-On Interoperability Profile
• Web Single Sign-On Metadata Exchange Protocol
More info: http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnglobspec/html/wssecurspecindex.asp
Username Tokens:
• Simple method of conveying username
• Password is used to generate a secret key for signing and encrypting
• Password can be sent as plaintextor digest−Digest uses timestamp value valid
within a time window −WSE provides built-in replay detection
mechanism−WSE automatically creates Windows
Principal for plain-text passwords
DEMOWeb Service Security using:
1. Windows Integrated Authentication
2. Windows Basic Authentication
3. SOAP header based authentication
Using WSE 2.0:
1. Using Username Tokens
2. Using Kerberos Tokens (only code)
CONCLUSION:
With use of Enhanced add-ons like WSE, .NET can provide more secure web services.
REFERENCES:
1.
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
2. Wrox: Beginning ASP.NET 2.0
3.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
4. http://msdn.microsoft.com/webservices/webservices/building/wse
Q & A
Thank you !