1. Security Problems (and Solutions)for Service Oriented ApplicationsDaniel Kulp, Talenddkulp@talend.com Talend 2011 1

2. My BackgroundJ. Daniel KulpTalendVP - OpenSource DevelopmentASF MemberPMC for CXF, Camel, WebService, Maven, Aries.Committer for ServiceMix Talend 2011 2 3. What I Will CoverSOA Security ConcernsTypes of Security ProblemsWS-* SolutionsREST SolutionsApache CXF extensionsThoughts for the future Talend 20113 4. SOA Security ConcernsCollection of Services that make up a complex applicationthat solves complex problems.Primarily Web ServicesNOT just SOAPIncludes RESTCan include other technologies like CORBA, JMS, etc... Talend 2011 4 5. Security ProblemsAuthenticationAuthorizationMessage ProtectionData encryptionSignaturesIntermediariesSecurity TokensPerformance Talend 20115 6. WS-* SolutionsWell Defined (OK: overly complex) specificationsWS-SecurityWS-SecureConversationWS-SecurityPolicyWS-TrustEtc.... Talend 20116 7. WS-SecurityHow to sign SOAP messages to assure integrity.(based onXMLDsig)How to encrypt SOAP messages to assure confidentiality.(based on XML-Enc)How to attach security tokens to ascertain the sendersidentity.X.509, Kerberos, UserNameToken, SAML Talend 2011 7 8. WS-SecurityPolicyTries to address the contract of the SecurityrequirementsXML based WS-Policy fragments that describe the Securityrequirements of the serviceContains the information about what needs to beincludes, what needs to be signed, what needs to beencrypted, algorithms, etc... Talend 20118 9. WS-TrustManaging Security TokensIssue, Renew, Cancel, ValidateSupport brokering trust relationships STSConsumer Provider Intermediar y Talend 2011 9 10. WS-SecureConversationAttempt to address the performance problem of the WS-Security specifications.XML Signatures and Encryption using strong asymmetric keys isvery expensive. WS-SecConv allows for a simpler symmetrickey to be used after establishing a session.Extends WS-Trust Talend 2011 10 11. WS-* SummaryAddresses most of the security problems (performance may bethe exception)Very complexSeveral Profiles defined to attempt to clarify and simplifythings Talend 2011 11 12. Apache CXF WS-*Covers the WS-* stuff very wellVery well testedVery actively developedHighly interopableHigh performance (relative)New in 2.5.0 is an Enterprise Ready Security Token Service Talend 201112 13. RESTHTTPSBasic AuthenticationNTLM/Digest AuthenticationOAuthReally, very few standards Talend 201113 14. Apache CXF - RESTJAX-RSOAuth 1.0 FlowsXML Message ProtectionEnvelopedEnvelopingDetachedSAMLAuth HeaderToken in MessageForm value Talend 201114 15. Future WorkOAuth 2.0Single Sign-On / SAMLSAML for Bearer token in OAuth 2.0 flowsPerformance (Streaming)WS-Federation for SSOApache Fediz proposal to the Incubator Talend 201115 16. More InformationCXF - http://cxf.apache.orgDistribution contains several security samplesTalend http://talend.comTalend ESB has several code examples, tech notes and webinarscovering security topicsBlogs http://coders.talend.comColm - http://coheigea.blogspot.com/Glen - http://www.jroller.com/gmazza/Sergey - http://sberyozkin.blogspot.com/ Talend 2011 16 17. ContactDaniel Kulpdkulp@talend.comhttp://dankulp.com/blog@DanKulp on Twitter Talend 2011 17 18. Thank You Talend 2011 18