11 overview of modern web architectures, standards, security, and future directions oct/26/2009...
TRANSCRIPT
11
Overview of Modern Web Architectures, Standards, Security, and Future Directions
Oct/26/2009
Zhenhua Guo
22
Outline
Web App Case Study Modern Web Characteristics Modern Web Architecture : OpenSocial
Architecture Components Security
Background Authorization Out of Scope: Authentication
Future Directions
33
Facebook More than 200 million active users MS paid $240 million for 1.6 percent
Modern Web App Case Study : Facebook
Activities of your friends
Your current status
Comment, Rate
Chat
Aggregationwith Picasa
Video
photos
Friends
groupsMore apps!
44
Previous Web App Case Study : Yahoo! Directory
Provider-defined directory
55
Examples of two “versions” of web apps
1995-2005 Web 2005-Present Web
Britannica Online Wikipedia
Akamai BitTorrent
Directories
(Taxonomy)
Tagging
(Folksonomy)
Tightly coupled apps App Mashup/Integration
Home page Blog
Web 2.0 “Second generation of web development and web
design” Web 2.0 vs. Web 1.0
Technical point of view Similar technologies as Web 1.0: HTML, Javascript, XML, HTTP, etc. Web2.0 makes the web programmable
User’s point of view Read-write collaborative web
Sharing, creation of data Participatory nature
Blogging, commenting, rating Cooperate, not control
Facebook interoperates with Google Picasa, Yahoo! Flickr, Blogs, etc
User centric Web is a platform. Users add content (“value”)
6
7
Web 2.0
Debate (Buzzword vs. Real progress) is going on, but it has begun to coalesce. “Web 2.0 Architectures: What entrepreneurs and information architects
need to know” OpenSocial: case study that illustrates or motivates several Web 2.0
topics of discussion. We will use Open Social to illustrate Web 2.0 architecture
Enterprise Approach Web 2.0 Approach
Portlets Gadgets, Widgets
SOAP RSS, Atom, JSON
WSDL REST(GET, PUT, POST ,DELETE)
Workflow managers Mash-ups (e.g. Yahoo Pipes)
Server side integration Client-side integration (AJAX)
Gateways User-centric social network portals
8
OpenSocial A coherent open architecture designed for
social network services and applications. Common APIs across many websites
REST/RPC protocols – for server-to-server interactions Javascript APIs – for browser-to-server interactions
Authorization mechanism, Data model … Usage
Supported by MySpace, Google Orkut, Twitter, LinkedIn, XiaoNei… Internationalization
Rival: Facebook
9
Open Social Javascript API Example
// Creates a data request object to use for
// sending and fetching data from the server.
var req = opensocial.newDataRequest();
// Adds an item to fetch data from the server
req.add(req.newFetchPersonRequest('OWNER'), “owner”);
// Sends a data request to the server
req.send(function(data) {owner = dataResponse.get("owner").getData();
});
9
Person: ID, NAME, NICKNAME, ADDRESSES, EMAILS, STATUS, MOVIES, MUSIC,FOOD …
Activity: TITLE, URL, BODY, PRIORITY …
DataModel
JavaScript APIexample
AJAX!!!
Fetch profileinformationof owner
Open Social Message Examples
[{"method" :"people.get", "params" :{ "userId" : ["@owner"], "groupId" : "@self", "id" : "owner", "fields" : ["id","name", "thumbnailUrl", "profileUrl", "id", "displayName"]}}]
[{"id" :"owner", "data" :{ "displayName" : "Guo Zhenhua" "profileUrl" : "/Main#Profile.aspx?uid=3672642670645936703, "id" : "06881043280087178653", "thumbnailUrl": "http://www.orkut.com/img/i_nophoto64.gif", "name" : { "familyName":"Zhenhua", "givenName":"Guo" }, ...... }}]
Response
Request (HTTP POST)
JSON
10
How about the correspondingrepresentation in XML???
157 Bytes
<request><method>people.get</method><params>
<userId> <id>@owner</id></userID><groupId>@self</groupId><id>owner</id><fields> <field>id</field> <field>name</field> <field>thumbnailUrl</field> <field>profileUrl</field> <field>id</field> <field>displayName</field></fields>
<params></request>
JSON Lightweight, Simple Can represent basic data structures
(number, string, boolean, object, array) Textual human-readable Easy to generate and manipulate
Not extensible, No namespace Hard to represent complex data structures
References User-defined type
XML Extensible Support namespace Support representation of complex
data structures.
Heavyweight Slow and verbose
Request messagerepresented in XML
281 Bytes
1212
OpenSocial - ArchitectureComponents Interface –
REST, Javascript APIs Client – Ajax, Gadget Message Format –
JSON, XML Security - OAuth Data Model
Logic level
13
OpenSocial Interface – RESTREST – REpresentational State Transfer Based on HTTP (client/server + stateless server) Resource-oriented (resource can be anything) Each resource is identified by a unique URL State transition (Link resources together) Resources have multiple representations (JSON,XML) Uniform interfaces
GET http://search.twitter.com/trends.json
Returns the top ten topics that are currently trending on Twitter.
GET Read
POST Create
PUT Update
DELETE Delete
How to access top ten Twitter topics?
verbresource
* CRUD – Create, Read, Update, Delete
Analysis of REST
Treat the web as a big database of resources Good for CRUD operations
Constraint Stateless HTTP (request-response)
Beyond REST Stateful applications
Streaming Applications Workflow Execution
Push-Based systems Pub-Sub systems
14
1515
REST Alternative SOAP-based WS
SOAPMessage format
UDDIService Registration
WSDL Service description interface
12
3
4
Publish – Bind – Find
About 60 core ws-* protocols Designed for server-server interactions
SOAP and WSDL are really complicated Browser-based apps are second-class
citizens.
AJAX
1717
OpenSocial Client Tech – AJAX Rationale
Update sections without refreshing the whole page More interactive More responsive Requires less bandwidth
Asynchronous JavaScript and XML HTML + CSS Presentation DOM Document model (for dynamic manipulation) XMLHttpRequest Asynchronous Communication JSON/XML Data exchange format Javascript Bring these together
Data Model
19
OpenSocial - Data Model
Define data models for basic objects in social network Person Activity AppData
Relationships between objects can not be represented. Friend of a Friend (FOAF) – Based on W3C RDF XHTML Friends Network (XFN)
Other possible issues Groups, roles, communities Strength of relationships Relationships in which more than two objects are involved Scalability (in terms of number of friends)
2020
Security in OpenSocial
Beyond Functionalities - Security Identity
“On the internet, nobody knows you're a dog” Claimed Identity ≠ Real Identity
Data protection Who can access your Facebook data? Increasing risk of identity theft and impersonation.
Favorite color, mother’s maiden name, … “Friends” and applications have access to this “Predicting Social Security numbers from public data”
Communication linksMessages are passed by intermediary machines Intermediaries understand your messages? Intermediaries alter your messages? Intermediaries forge your messages?
2121
Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61
2222
Security Requirements (in Web)
Connection level Confidentiality Integrity Non-repudiation Prevention of replay attack
System Implementation level Redirect Session stealing (cookie) Cross-site scripting, Cross-site request forgery
Architecture level Authentication
Single Sign-On Authorization
Delegation
SSL/TLS
Securer programs +User education
2323
Challenges
Technical Challenges Loosely coupled components No single, isolated trusted base Domain-specific policies Separation of security policies and security mechanisms.
Possible solutions Authentication
Central Authentication Service Cosign OpenID
Authorization Shibboleth OAuth
2424
OpenSocial Authorization – OAuth Motivation
To allow third party apps to access users’ data stored at service provider without requiring username and password.
Solution Delegated authorization protocol Light-weight Explicit user consent Based on REST
Drawbacks Vulnerable to session fixation attack (http://oauth.net/advisories/2009-1) Delegation granularity (Service provider-specific) Access token expiration and revocation
Resources http://oauth.net/
3rd-party App Twitter
2525
Authentication OpenSocial does not define authentication mechanism. Different accounts for different service providers
Twitter, Facebook, Myspace, Orkut, Hi5 … Same data everywhere
Account linkingLinking Disparate Account IDs Across Multiple Systems or Applications
N
S
EW Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
Identification Provider
Identification Provider
Trust Relationship
IdentityFederation
=> Identity portability
Authentication – OpenID Motivation
Provide lightweight authentication service across domains Solution
Users are asked to prove ownership of their OpenID identifiers. OpenID identifiers are URLs (e.g. http://zhenhua-guo.blogspot.com). Service provider and identity provider are clearly separated. Authentication delegation (service provider → identity provider)
Advantages Cross-domain authentication Attribute exchange beyond authentication Single Sign-On Easy OpenID provider switch
Drawbacks Phishing attack
Resources Supported by Facebook, Verisign, Sourceforge, Yahoo, etc.
http://fcom.us.es/blogs/nuevafcom/files/2008/09/openid-1.jpg
26
OAuth and OpenID
Based on relaxed REST Use SSL/TLS to guarantee confidentiality,
integrity and non-repudiation. Scalability Vulnerable to
Phishing Cross-site scripting Cross-site request forgery
27
Conclusions Adoption of web 2.0 Services, not packaged software Open Architecture and Open Standards
Interoperability Flexibility Integration
Security Adoption in scientific communities
Traditional gateways LEAD, Earth System Grid
Gateways that integrate web 2.0 technologies myExperiment, SciVee, Sakai Open Life Science Gateway PolarGrid Portal
Research Opportunities
Social network in scientific communities Collaboration and Cooperation
Data Integration Manual integration Unified specification Adaptive integration
Security model Open, Flexible, Scalable, …
Data Mining Tag, Comment, Email, Blog, …
29
Future Directions Semantic Web (Web 3.0?)
Machine-readable representations of resources and relationships
Artificial Intelligence, Data Mining Search Engine
Information search
Recommendation System Scaling
Question Answering Information retrieval
Social Network Analysis Flow pattern recognition Strength of connections
30
My Research Gadget Layout Management
OAuth implementation Implement 2-legged OAuth Integrate 3-legged OAuth
PolarGrid Portal
33
Zhenhua Guo, Raminderjeet Singh, Marlon Pierce Building the PolarGrid Portal Using Web 2.0 and OpenSocial. GCE09 Grid Computing Environments 2009 workshop at SC09
ReferencePapers Distributed Systems
Hongbin Liu, Shrideep Pallickara, Geoffrey Fox. Performance of Web Services Security. Proceedings of the 13th Mardi Gras Conference, 2005
Satoshi Shirasuna, Aleksander Slominski, Liang Fang, Dennis Gannon. Performance comparison of security mechanisms for grid services. Proceedings of the Fifth IEEE/ACM International Workshop on Grid Computing, 2004
Shrideep Pallickara, Marlon E. Pierce, Harshawardhan Gadgil, Geoffrey Fox, Yan Yan, Yi Huang. A Framework for Secure End-to-End Delivery of Messages in Publish/Subscribe Systems. The 7th IEEE/ACM International Conference on Grid Computing, 2006
Cesare Pautasso, Olaf Zimmermann, and Frank Leymann. Restful web services vs. "big"' web services: making the right architectural decision. Proceeding of the 17th international Conference on World Wide Web, 2008
Michael zur Muehlen, Jeffrey V. Nickerson and Keith D. Swenson . Developing web services choreography standards—the case of REST vs. SOAP. http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8S-4CF5FWK-1&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId=1058155249&_rerunOrigin=scholar.google&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=e9c0b58f44e71de372ea92e94b34f385
Reference (cont.)
Authentication Clifford Neuman, Theodore Ts'o. Kerberos: An Authentication Service for Computer
Networks. IEEE Communications, 1994 John Kohl, B. Clifford Neuman, Theodore T'so. The Evolution of the Kerberos
Authentication System. In Distributed Open Systems, pages 78-94. IEEE Computer Society Press, 1994
David Recordon , Drummond Reed. OpenID 2.0: a platform for user-centric identity management. Proceedings of the second ACM workshop on Digital identity management, 2006
Drummond Reed, Les Chasen, William Tan. OpenID identity discovery with XRI and XRDS. IDtrust, ACM International Conference Proceeding Series, Vol. 283, pp. 19-25, ACM, 2008
35
Authorization David Chadwick, Alexander Otenko. The PERMIS X.509 role based privilege management
infrastructure. Future Generation Computer Systems, 19(2), pp. 277-289, 2003 David Chadwick, Gansen Zhao, Sassa Otenko, Romain Laborde, Linying Su,
Tuan-Anh Nguyen. PERMIS: a modular authorization infrastructure. Concurrency and Computation: Practice and Experience, 20(11), pp. 1341-1357, 2008
Von Welch, Frank Siebenlist, Ian Foster, John Bresnahan, Karl Czajkowski, Jarek Gawor, Carl Kesselman, Sam Meder, Laura Pearlman, Steven Tuecke. Security for Grid Services. Twelfth International Symposium on High Performance Distributed Computing, IEEE Press, 2003
Ian Foster, Carl Kesselman, Gene Tsudik, Steven Tuecke. A Security Architecture for Computational Grids. ACM Conference on Computers and Security, pp. 83-91, ACM Press, 1998
Mary Thompson, William Johnston, Srilekha Mudumbai, Gary Hoo, Keith Jackson, Abdelilah Essiari. Certificate-based Access Control for Widely Distributed Resources. Proceedings of the 8th USENIX Security Symposium (SECURITY-99), pp. 215-228, Usenix Association, 1999
Anirban Chakrabarti, Anish Damodaran, Subhasis Sengupta. Grid Computing Security: A Taxonomy. IEEE Security & Privacy, 6(1), pp. 44-51, 2008
Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, Kate Keahey.Identity federation and attribute-based authorization through the globus toolkit, Shibboleth, GridShib, and MyProxy. 5th Annual PKI R&D Workshop, 2006
Reference (cont.)
Reference (cont.) Ralf Groeper, Christian Grimm, Stefan Piger, Jan Wiebelitz. An Architecture for Authorization
in Grids using Shibboleth and VOMS. Euromicro Conference-Software Engineering and Advanced Applications, pp. 367-374, IEEE Computer Society, 2007
Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist. Attributes, anonymity, and access-shibboleth and globus integration to facilitate grid collaboration. 4th Annual PKI R&D Workshop, 2005
Laura Pearlman, Von Welch, Ian T. Foster, Carl Kesselman, Steven Tuecke. A Community Authorization Service for Group Collaboration. POLICY, pp. 50-59, IEEE Computer Society, 2002
Roberto Alfieri, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, Ákos Frohner, Alberto Gianoli, Károly Lörentey, Fabio Spataro. VOMS, an Authorization System for Virtual Organizations. European Across Grids Conference, Lecture Notes in Computer Science, Vol. 2970, pp. 33-40
Springer, 2003 Laura Pearlman, Von Welch, Ian T. Foster, Carl Kesselman, Steven Tuecke. A community
authorization service for group collaboration. Proceedings of the 3rd IEEE International Workshop on Policies, 2002
Laura Pearlman, Von Welch, Ian Foster, Carl Kesselman, Steven Tuecke. The community authorization service: Status and future. Proceedings of Computing in High Energy Physics, 2003
Justin Binns, Jonathan DiCarlo, Joseph Insley, Ti Leggett, Cory Lueninghoener, John-Paul Navarro, Michael Papka. Enabling community access to TeraGrid visualization resources. Concurrency and Computation: Practice and Experience, 19(6), pp. 783-794, 2007
Jim Basney, Marty Humphrey, Von Welch. The MyProxy online credential repository. Software: Practice and Experience, 2005
Jason Novotny, Steven Tuecke, Von Welch. An online credential repository for the grid: MyProxy. High Performance Distributed Computing, 2001. Proceedings. 10th IEEE International Symposium
Andreas Pashalidis, Chris Mitchell. A Taxonomy of Single Sign-On Systems. Information Security and Privacy: Australasian Conference, 2003
Thomas Groß. Security Analysis of the SAML Single Sign-on Browser/Artifact Profile. Annual Computer Security Applications Conference, pp. 298-307, IEEE Computer Society, 2003
Minor (Artificial Intelligence) Related Patrick Kelley, Paul Drielsma, Norman Sadeh, Lorrie Faith Cranor. User-controllable
learning of security and privacy policies. Proceedings of the 1st ACM workshop on Workshop on AISec, pp. 11-18, ACM, 2008
Guang Xiang, Ge Yu, Xiangli Qu, Xiaomei Dong, Lina Wang. A Hybrid Machine Learning/Statistical Model of Grid Security. Grid and Cooperative Computing, Lecture Notes in Computer Science, Vol. 3251, pp. 348-355, Springer, 2004
Reference (cont.)
Reference (cont.) Specifications
Shibboleth Architecture - Protocols and Profiles Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) Security Assertion Markup Language(SAML) V2.0 Technical Overview Security and Privacy Considerations for the OASIS Security Assertion Markup
Language(SAML) V2.0 XML Encryption Syntax and Processing An Internet Attribute Certificate Profile for Authorization (RFC 3281) Technical Comparison: OpenID and SAML - Draft 06 OpenID (http://openid.net/developers/specs/) OAuth 1.0(http://oauth.net/core/1.0/) Central Authentication Service (http://www.jasig.org/cas/protocol)
Questions?