identity, security and xml web services - omg...any real-world deployment of a web services...
TRANSCRIPT
![Page 1: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/1.jpg)
1
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity, Securityand XML Web Services
Jorgen ThelinChief Scientist
Cape Clear Software Inc.
E-mail: [email protected]
![Page 2: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/2.jpg)
2
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
AbstractThe use of security credentials and concepts of single-sign-on and “identity” play a big part in Web Servicesas developers start writing enterprise-grade line-of-business applications. An overview is provided of theemerging XML security credential standards such asSAML, along with various “identity” standards such asPassport and Liberty. We examine how “identityaware” Web Service implementations need to be, andthe value a Web Services platform can add in reducingcomplexity in this area, with lessons drawn fromexperiences using J2EE technology for real-worldsecurity scenarios.
![Page 3: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/3.jpg)
3
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
AgendaThe Concept of IdentityWeb Services and IdentityInteroperable XML Security and IdentityExamples of Security Credentials in SOAPSingle-sign-onIdentity Awareness in Web Services
![Page 4: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/4.jpg)
4
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
A Definition of IdentityDefinition from Cambridge DictionariesOnline:
Identity[ noun ]
Who a person is, or the qualities of a person orgroup which make them different from othershttp://dictionary.cambridge.org/define.asp?key=identity*1+0
![Page 5: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/5.jpg)
5
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
What is Identity?At its most basic, the concept of Identity isabout:
Who you are
How you prove who you are
What that allows you to do
![Page 6: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/6.jpg)
6
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity – Who are you?An identity equates to a particular subject orprincipal
For example: Joe Bloggs …… Who lives at 123 My Street, Your Town
Usually equates to a person, but could alsobe a group, corporation, or even somethinglike an automated software agent component
Subjects must be distinguishable
![Page 7: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/7.jpg)
7
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity – Proof of identityHow do you prove who you are?
In real life, this is usually thru some officialdocuments such as:
Driving LicensePassport
In computing terms, a user has a set ofsecurity credentials such as:
username + passwordX509 certificates
![Page 8: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/8.jpg)
8
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity – PermissionsWhat does this identity prove about us?What does this identity allow us to do?
Some real life examples:Holding a UK passport proves I am a UK CitizenLosing my passport does not stop me being a UKCitizen; it just makes it harder to prove that I am.
A standard driving license shows I am allowed todrive a carI am not allowed to drive a Heavy Goods Vehicleunless I hold a HGV Driving License
![Page 9: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/9.jpg)
9
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity – Permissions and CredentialsThe permissions and entitlements for anidentity is ultimately determined by the setof credentials that were presented to assertthat identity.
Permissions and credentials are use to makepolicy enforcement decisions
Am I allowed to drive a Heavy Goods Vehicle?Am I allowed to work in the UK?Am I allowed to work in the US?
![Page 10: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/10.jpg)
10
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Web Services and IdentityHow does this affect Web Services?
Security and Identity is a fundamental requirement ofany real-world deployment of a Web Servicesapplication
Ultimately all security policy decisions are based onthe caller’s identity
The challenge is to how to represent and prove acaller’s identity in an open and interoperable way.
![Page 11: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/11.jpg)
11
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Web Services and Identity 2Security and identity considerations for aWeb Services application:
AuthenticationWho is the caller?How did they prove their identity?Do we trust the source of these credentials?
AuthorizationWhat is the caller allowed to do?
AttributesWhat other facts do we know about the caller?
For example, e-mail address, department, employee numberHow do we use this attribute information in the application?
For example, customizing the data returned based on display preferences
![Page 12: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/12.jpg)
12
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Web Services and Identity 3To achieve interoperable security and identity, webservices require the following
Standard ways to:
Representing security credential data in XMLEg. SAML – Security Assertions Markup Language specification
Obtaining credential dataEg. Single-sign-on services such as Microsoft Passport or LibertyAlliance specifications
Transport credential data in a SOAP messageEg. SOAP header fields defined in the WS-Security specification
![Page 13: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/13.jpg)
13
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Types of Security TokensThe WS-Security specification set defines thefollowing tokens:
Unsigned security tokensUsername
Signed security tokensX.509 certificates (binary)Kerberos tickets (binary)
XML security tokensAny XML token, such as SAMLUsually self verifying / signed
![Page 14: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/14.jpg)
14
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Typical XML Security Dialogue– Non Self-Validating Credentials
Need toquery thesecurityservice tovalidate thecredentials
![Page 15: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/15.jpg)
15
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Typical XML Security Dialogue– Self Validating Credentials
No need toquery thesecurityservice tovalidate thecredentials.Usually doneby thesecurityauthoritydigitallysigning thecredentials.
![Page 16: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/16.jpg)
16
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
SAML v1.0SAML – Security Assertions Markup Language
An XML-based framework for exchanging securityinformationA specification published by the OASIS organization
The SAML specification defines:How to represent security credentials (“Assertions” inSAML parlance) using XMLAn XML message exchange protocol for querying a SAMLAuthority service
SAML does not define:How to obtain security credentials (“Assertions”) in thefirst place
![Page 17: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/17.jpg)
17
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
SAML Assertion TypesSAML Authentication Assertions
The results of an authentication action performedon a subject by a SAML authority
SAML Attribute AssertionsAttribute information about a subject
SAML Authorization AssertionsAuthorization permissions that apply to a subjectwith respect to a specified resource
![Page 18: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/18.jpg)
18
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
A Username Token in WS-Security SOAPHeader
–
![Page 19: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/19.jpg)
19
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
A Binary X509 Certificate in WS-SecuritySOAP Header
” ”
![Page 20: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/20.jpg)
20
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
A SAML Assertion in WS-Security SOAPHeader
![Page 21: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/21.jpg)
21
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Single-sign-on ServicesSSO Services provide:
a single point of logon and authenticationa standardized way to obtain suitable credentials toprove the authenticated identity
The main contenders using XML are:Liberty AllianceMicrosoft PassportProprietary security products such as NetegritySiteMinder are adding direct SAML interfacesWS-Trust – new spec for standardized XML interface
Still remains an area needing standardization
![Page 22: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/22.jpg)
22
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Liberty AllianceThe Liberty Alliance Project is a cross-industry group aiming to establish an openstandard for federated network identity
http://www.projectliberty.org/
The Liberty specification v1.0 has two mainfacets:
Single sign-onIdentity federation
![Page 23: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/23.jpg)
23
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Microsoft .NET PassportMicrosoft .NET Passport is a suite of Web-basedservices that makes using the Internet and purchasingonline easier and faster for users.http://www.passport.com/.NET Passport provides users with
Single sign-in (SSI)Fast purchasing capability at participating sites
Microsoft is upgrading the current Passport facilities toProvide an XML interfaceSupport federationUse Kerberos v5 as the underlying mechanism forsecurely exchanging credentials
![Page 24: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/24.jpg)
24
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
The Need for a Sign-on Standard– WS-TrustThe need remains for a “sign-on standard” to avoidreliance on proprietary interfaces
WS-TrustA proposed specification in the WS-Security family
Provides a standardized interface for acquiring securitytokens
Still very early in the standardization process, but themost likely candidate for a common interface
http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-trust.asp
![Page 25: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/25.jpg)
25
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity-awareness in Web ServicesDo web services themselves need to beidentity-aware?
Not really, in most cases
A mature web services platform product such asCape Clear Server can handle almost all the“boilerplate” work of authentication andenforcement of access control lists
![Page 26: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/26.jpg)
26
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Identity-awareness in Web Services - 2Most standard authentication and authorizationfunctions are best done in a uniform manner by theplatform, rather than being implemented on anapplication-by-application basis
Interceptor plugins allow this to be a deployment policydecision rather than an implementation decision
Web Service application only needs to be Identity-aware if it needs to use attributes asserted for thecaller
For example, reading the delivery address from theuser’s MS Passport record
![Page 27: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/27.jpg)
27
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Ultimate Web Services platform securityUltimate goal will be declarative security functions forweb services just like EJB
So, having declarative statements of:Permitted authentication realms / single-sign-on services
Required transport security attributes(for example, “Callers must use encrypted / SSL connections”)
Required message security attributes(for example, “Messages must be digitally signed”)
Role-based access control lists applied at the granularity of theoperation / method call.
This places control of security to applicationadministrators rather than developers.
![Page 28: Identity, Security and XML Web Services - OMG...any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller’s identity](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8ab40bbc4ef20203c3893/html5/thumbnails/28.jpg)
28
Copyright © 2003 Jorgen Thelin / Cape Clear Software Inc.
Summary“Identity” is one of the fundamental concepts in allWeb Service security mechanisms
Having a standard XML-based serialized form ofcredentials is vital for true end-to-end interoperability
Standardization of specifications for credentialexchange and single-sign-on using XML and SOAP arestill incomplete, so true interoperability is not yetpossible.
Use a mature Web Services runtime platform such asCape Clear Server to handle most “boilerplate”security tasks such as enforcing authentication andauthorization requirements.