application of xml schema in web services security
DESCRIPTION
Application of XML Schema in Web Services Security. Sridhar Guthula W3C XML Schema 1.0 User Experiences 06-21-2005. About me. 10 years in enterprise software business XML focus since 1998 Projects - PowerPoint PPT PresentationTRANSCRIPT
Application of XML Schema in Web Services Security
Sridhar Guthula
W3C XML Schema 1.0 User Experiences
06-21-2005
QuickTree Inc. 2
About me
• 10 years in enterprise software business• XML focus since 1998• Projects
– XML Schema 1.0 validation engine, SOAP security framework, XSLT 1.0 compiler, hardware based XML Parser.
– Large XML based language for a declarative constraint engine
– Storing XML documents in a RDBMS– XML Schemas for Catalog Services, XML based
RPCs and Workflows Systems
QuickTree Inc. 3
QuickTree SOAP Security Module (SSM)
• Designed from the ground up with OEM integration in mind, the SSM hides the complexities of XML processing and allows network equipment like Firewalls, SSL VPN devices and Load Balancers to inspect and secure Web Services traffic
QuickTree Inc. 4
SOAP Security in the Network
QuickTree Inc. 5
Features
• XML Denial of Service Prevention - Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc
• WSDL Based Access Control - Limit a user or group's access to particular services or operations defined in the WSDL file
• SOAP Structural and Parameter Validation - Prevent mal-structured SOAP messages and apply parameter validation using type checking with full support for regex based schema types
• SQL and Command Injection Protection - Detect and block command injection attacks, commonly hidden as valid parameters
• Streaming mode interface - XML messages can be forwarded to the QuickTree module as they come in without blocking
QuickTree Inc. 6
QuickTree SOAP Security Module (SSM)
QuickTree Inc. 7
User Experience
QuickTree Inc. 8
WSDL Based validation
• XML Schema 1.0 validation engine (‘C’ based)• Generate schema by combining WSDL, XML Schema
and SOAP• Streaming and Hardwarized• Structural Validation vs Data-type validation • ACLs • Issues
– Schema Specification– XML Schemas with multiple target namespaces – xsi:type and encoding style – Mapping WSDL/SOAP types to XML Schema types (Ex:
soapenc:arrayType)– Versioning
QuickTree Inc. 9
Compliance Levels
• Support compliance/conformance levels (like internationalization standards)– Structural validation and/or Data-type validation– Data-centric or Content-centric
• Lack of different compliance levels causes vendors to claims full XML Schema compliance.
• Reduced user confusion and reduced cost in investigating vendor compliance.
QuickTree Inc. 10
XML Denial of Service Prevention
• Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc
• Most of the XML Schema designers do not consider security
• Policies – QuickTree provides global and User-specific
• Implementation through inheritance, facets
QuickTree Inc. 11
Validating Canonical XML
• Support for validating canonical XML
• Canonical form of a valid xml instance should be valid
QuickTree Inc. 12
Views or Aspects
• Given XML Schemas viewed in a different light by different users (network admin, application engineer, customer)
• Support for different aspects on the same XML Schema
• Example: Security aspect– Conformance/Compliance Levels: only do structural
validation– Ignore Order/Canonicalization: canonical form of a
valid xml instance should be valid– DoS configuration values– Xsi:type support
QuickTree Inc. 13
Contact Info
Sridhar Guthula
855 Embedded Way
San José, CA 95138-1018
USA
408-979-4800
QuickTree Inc. 14
Q & A