1 soa security dr. yuhong yan. 2 content security issues overview security for soa referece: r....
Post on 18-Dec-2015
217 views
TRANSCRIPT
1
SOA Security
Dr. Yuhong Yan
2
Content
• Security Issues overview• Security for SOA
Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning, 2008
3
Security Issues Overview
• Authentication• Authorization• Data confidentiality• Data integrity an nonrepudiation• Protection against attacks• Privacy protection
4
New Security Approaches for SOA
• Besides the following issues– Authentication– Authorization– Data confidentiality– Data integrity an nonrepudiation– Protection against attacks– Privacy protection
• SOA has three new security approaches– Message-level security– Security as a service– Policy-driven security
5
AuthenticationVerifying the identity of users
Evidence Type Description Example
What you know The secrete you and the system share
Username-password;Challenge questions
What you have Something that the system knows that you have
Hardware tokens;The number on a RSA
What you are Biometric evidence Fingerprint;Retina scan
6
Traditional Authentication Strategy
• The application is responsible for examining the evidence and validating it– A directory server that records all the user-
password pairs– An algorithm that matches the number
presented by the user and the number that is used on the RSA token
7
Authentication Strategy in SOA
# Description Strategies
1 Service is invoked by a client in the same company
Authenticate against the corporate directory
2 Service is invoked by another service in the same company
Authentication is carried on by the calling service;Called service re-authenticates against the corporate directory
3 Service is invoked by a partner’s app
Rely on partner app’s assertion of user identity
8
Authorization
• Another name: access control• Compare authentication and authorization
– Authentication: your photo ID– Authorization: allow to buy a drink?
Determine whether the identified user is authorized to access the functionality
9
Traditional Authorization Strategy
• The application is responsible for authorization, some information used is in a directory server or a configuration repository– Access control models
• Role-based Access Control• Access Control List (rules)
10
Authorization Strategy in SOA
• The composite app cannot hard code authorization function
• The individual services in the composite app have to do this
11
Data Confidentiality
• Traditional strategy to ensure data confidentiality– Encryption– Establish a secure channel
• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Data exchanged over a network needs to be safeguarded
12
Data Confidentiality Protection Strategy in SOA
• Encryption• Establish a secure channel
– SSL/TLS• Different recipients
process different part of the message
To ACME To ACME
ACMEbank
My orderMy order My acct infoMy acct info
To bank To bank Acct infoAcct info
13
Data Integrity and Nonrepudiation
• SSL/TLS also helps in verifying the integrity and ensuring nonrepudiation
• SSL/TLS can be used for SOAP transport– Blanket encryption
• We can have selective encryption also
Verify that the message received is what the sender sent; the sender should not able to deny having sent a msg
14
Protection Against Attacks
• Vulnerabilities in application code– SQL code
• Vulnerabilities introduced by poor administrative practices– The default password
• Vulnerabilities inherent in computing/network infrastructuure– TCP/IP
15
Traditional Strategy for Protection Against Attacks
• Using firewall• Run applications within sandboxes• Carefully audit application code• Use intrusion detection systems
16
Strategy for Protection against Attacks in SOA
• Vulnerable to denial of service (DoS) attacks• No further discussion in this course
17
Privacy Protection
• Flaws in access control rules– Who can access sensitive data
• Vulnerabilities exploited by attackers– Inject SQL that queries sensitive data
Avoid leakage of users’ private information
18
Strategy for Privacy Protection
• Enhance security– Remove the vulnerabilities
• Holding back real identifies• Protect the patterns that associate with sensitive
data• No more discussion in this course
19
Extending SOAP with Headers for Security
20
Inside SOAP
Envelope (required)
SOAP message
Header (optional)
Body (required)
Fault (optional)
Header Entry1
Header Entry n
…
21
Header
• For authentication, transaction management, and authorization, routing
• Standard extensions• Customerized extensions
22
Standard header entry attributes
• Who should deal with the header entry?– actor attribute: e.g. a URI– The chained nodes: intermediaries
• What do we do with the header entry?–mustUnderstand attribute: true /false– force the recipient to process the element, if
not understandable, return a fault• What do we parse data in the header entry?
– encodingStyle attribute: e.g. XML schema
23
An Example for Header
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>
<SOAP-ENV:Header><ns1:PaymentAccount xmlns:ns1=“urn:ecerami”
SOAP-ENV:actor=“http://schemas.xmlsoap.org/soap/actor/next””SOAP-ENV:mustUnderstand=“true”SOAP-ENV:encodingStyle
=“http//schemas.xmlsoap.org/soap/encoding”>orsenigo473
</ns1:PaymentAccount></SOAP-ENV:Header>
24
Fault
• faultCode– SOAP-ENV:VersionMismatch– SOAP-ENV:MustUnderstand– SOAP-ENV:Client (non existing methods)– SOAP-ENV:Server (not able to access DB)
• faultString• faultActor• Detail info about the fault
25
Fault
<?xml version=‘1.0’ encoding=‘UTF-8’?><SOAP-ENV:Envelope
xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”xmlns:xsi=“http://www.w3.org/1999/XMLSchema-instance”xmlns:xsd=“http://www.s3.org/1999/XMLSchema”><SOAP-ENV:Body>
<SOAP-ENV:Fault><faultcode
xsi:type=“xsd:string”>SOAP-ENV:Client</faultcode><faultstring xsi:type=“xsd:string”>
Failed to locate method (ValidateCreditCard) in class(examplesCreditCard) at /usr/local/ActivePerl-5.6/lib/site_perl/5.6.0/SOAP/Lite.pm line 1555.
</faultstring></SOAP-ENV:Fault>
</SOAP-ENV:Body></SOAP-ENV:Envelope>
P55. xml part (for faults)
26
WS-Security: Standard Extension for Security
27
Security Header: security claims
• “My name is X.”• “X is authorized to access this resource.”• “This message is signed by X.”• “This message is encrypted using X’s public
key.”
28
An Example for Security Header
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>
<SOAP-ENV:Header><wsse:Security …
<wsse:UsernameToken wsuID=“1”> <wsse:Username> <xenc:EncryptedData> … </xenc:EncryptedData> </wsse:Username> <wsse:Password> <xenc:EncryptedData> … </xenc:EncryptedData> </wsse:Password> </wsse:UsernameToken></SOAP-ENV:Header></SOAP-ENV:Header>
29
Fault Code
Code Description
UnsupportSecurityToken An unsupported security token was provided.
UnsupportedAlgorithm An unsupported signature or encryption algorithm was used.
InvalidSecurity An error was discovered while processing the security header.
InvalidSecurityToken An invalid security token was provided.
FailedAuthentication The security token could not be authenticated or authorized
FailedCheck The signature or decryption is invalid
SecurityTokenUnavailabel Referenced security token could not be retrieved
30
Programming on security headers
• The pattern of handler in JAX-RPC– Compose the elements in headers
• The chained handlers– Axis Web service deployment description
(.wsdd)
31
Intermediaries and WS-Addressing
source
interm1 dest
interm1
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…><SOAP-ENV:Header>
<was:To xmlns:was=“…/ws/2004/08/addressing”> http://localhost:8080/axis/services/example6 </was:To> <was:Action xmlns:was=“…/ws/2004/08/addressing”> </wasAction> <wsse:Security soapenv:actor=“…”> … </wsse:Security></SOAP-ENV:Header>
WS-Addressing