Download - Web Service Security
![Page 1: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/1.jpg)
Prabath Siriwardena – Software Architect, WSO2
![Page 2: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/2.jpg)
Patterns
Standards
Implementations
Plan for the session
![Page 3: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/3.jpg)
Recurring Problems
![Page 4: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/4.jpg)
Patterns
Authentication Patterns
Confidentiality Patterns
Authorization Patterns
![Page 5: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/5.jpg)
1995 1997
![Page 6: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/6.jpg)
![Page 7: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/7.jpg)
1999
![Page 8: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/8.jpg)
2004
![Page 9: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/9.jpg)
2005
SAML2 Web SSO
![Page 10: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/10.jpg)
2008/May
![Page 11: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/11.jpg)
Authentication Patterns
Direct Authentication
Brokered Authentication
![Page 12: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/12.jpg)
Basic Authentication
Mutual Authentication
2-legged OAuth
Direct Authentication for Web Services
Tran
sport L
evel
![Page 13: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/13.jpg)
UsernameToken Profile with WS-Security
Signing – X.509 Token Profile with WS-Security
Direct Authentication for Web Services
Message
Lev
el
![Page 14: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/14.jpg)
Mutual Authentication
2-legged OAuth
Brokered Authentication for Web Services
Tran
sport L
evel
![Page 15: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/15.jpg)
WS-Trust / STS
WS-Federation
Brokered Authentication for Web Services
Message
Lev
el
Signing – X.509 Token Profile with WS-Security
Kerberos Token Profile for WS-Security
Resource STS
![Page 16: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/16.jpg)
![Page 17: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/17.jpg)
2006/April
![Page 18: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/18.jpg)
2006/June
![Page 19: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/19.jpg)
2008/2009
![Page 20: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/20.jpg)
2008/2009
![Page 21: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/21.jpg)
2008/2009
![Page 22: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/22.jpg)
2007/Dec
![Page 23: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/23.jpg)
2007/Dec
![Page 24: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/24.jpg)
Authorization Patterns
Direct Authorization
Delegated Authorization
![Page 25: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/25.jpg)
Authorization Patterns
Direct Authorization
Delegated Authorization
ActAs in WS-‐Trust 1.4
![Page 26: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/26.jpg)
2005/Feb
![Page 27: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/27.jpg)
Message Interceptor Gateway Pattern
Trusted Sub System Pattern
Security Solution Patterns Message
Lev
el
![Page 28: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/28.jpg)
UsernameToken Profile
SOAP Security Message
Lev
el
![Page 29: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/29.jpg)
X.509 Token Profile & Key Referencing
Message
Lev
el
SOAP Security
Key Identifiers
Direct References
![Page 30: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/30.jpg)
Symmetric Binding Vs Asymmetric Binding
Message
Lev
el
SOAP Security
![Page 31: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/31.jpg)
Message
Lev
el
SOAP Security
• WS-‐Security secures SOAP – focuses on message level security
• Focuses on a single message authentication model
• Each message contains everything necessary to authenticate it self
• Suitable for a coarse grained messaging in which a single message at a time from the same requestor is received WS – Se
cure Con
versation
![Page 32: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/32.jpg)
Message
Lev
el
SOAP Security WS – Se
cure Con
versation • What SSL does at the transport level in point-‐to-‐point
communication, WS-‐SecureConversation does at the SOAP layer
• Removes the need of individual SOAP message carrying authentication information.
• Establishes a mutually authenticated security context in which a series of messages are exchanged.
• Uses public key encryption to exchange a shared secret and then onwards uses the shared key
![Page 33: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/33.jpg)
WS-Trust
Message
Lev
el
SOAP Security
![Page 34: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/34.jpg)
Sender Vouches – Subject Confirmation
Message
Lev
el
SOAP Security
![Page 35: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/35.jpg)
Message
Lev
el
SOAP Security
Holder-of-Key – Subject Confirmation
![Page 36: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/36.jpg)
http://wso2.org/library/3786
SOAP Security
http://wso2.org/library/3132
WS – Security Policy
![Page 37: Web Service Security](https://reader033.vdocument.in/reader033/viewer/2022051514/5487413ab4af9f4b268b4686/html5/thumbnails/37.jpg)