250 likes | 386 Views
Alignment with emerging Web Service Standards. Web Service Standards Stack. …. Presentation (WSRP). Various specs. Industry-specific. Grid (OGSI). Process Flow (BPEL, WS-Coordination). Transactions (WS-Transaction). Discovery (UDDI, ebXML). QoS (WS-Policy, …).
E N D
Web Service Standards Stack … Presentation (WSRP) Various specs Industry-specific Grid (OGSI) Process Flow (BPEL, WS-Coordination) Transactions (WS-Transaction) Discovery (UDDI, ebXML) QoS (WS-Policy, …) Security (WS-Security, SSL, SAML, …) Description (WSDL) Messaging (SOAP, XMLP) Transport (HTTP, HTTPR, SMTP) Network (TCP/IP)
Web Service Standards Stack … … Presentation (WSRP) Presentation (WSRP) Various specs Various specs Industry-specific Grid (OGSI) Grid (OGSI) Industry-specific Process Flow (BPEL, WS-Coordination) Process Flow (BPEL, WS-Coordination) Transactions (WS-Transaction) Discovery (UDDI, ebXML) Discovery (UDDI, ebXML) Transactions (WS-Transaction) QoS (WS-Policy, …) Security (WS-Security, SSL, SAML, …) Security (WS-Security, SSL, SAML, …) QoS (WS-Policy, …) Description (WSDL) Description (WSDL) Messaging (SOAP, XMLP) Messaging (SOAP, XMLP) Transport (HTTP, HTTPR, SMTP) Transport (HTTP, HTTPR, SMTP) Network (TCP/IP) Network (TCP/IP)
Stateful Web Services • Port References (comments in WS-Coordination) – Ability to dynamically refer to ports for targeted invocations • Context (comments in WS-Coordination) – ability to supply stateful information for return with later invocations. • Service Instances (examples include Borland at http://www.systinet.com/doc/wasp_developer_jb/advanced/statefulWebServices.html#advancedTopics.statefulWebServices.mechanism, BPEL and OGSI efforts) – ability to return a reference to a new instance which can be resupplied on later invocations => Mechanisms for Producers exposing portlet instances at runtime should align with these.
Web Service Standards Stack … … Presentation (WSRP) Presentation (WSRP) Various specs Various specs Industry-specific Grid (OGSI) Grid (OGSI) Industry-specific Process Flow (BPEL, WS-Coordination) Process Flow (BPEL, WS-Coordination) Transactions (WS-Transaction) Discovery (UDDI, ebXML) Discovery (UDDI, ebXML) Transactions (WS-Transaction) QoS (WS-Policy, …) Security (WS-Security, SSL, SAML, …) Security (WS-Security, SSL, SAML, …) QoS (WS-Policy, …) Description (WSDL) Description (WSDL) Messaging (SOAP, XMLP) Messaging (SOAP, XMLP) Transport (HTTP, HTTPR, SMTP) Transport (HTTP, HTTPR, SMTP) Network (TCP/IP) Network (TCP/IP)
Web Service Security • Broad set of specifications that cover • Authentication • Authorization • Privacy • Trust • Integrity • Confidentiality • Secure communication channels • Federation • Delegation • Auditing • Framework builds upon • Soap • WSDL • XML Digital Signatures • XML Encryption • SSL/TLS • …
Web Service Security Layers WS-PolicyAttachments WS-PolicyAssertions WS-SecurityPolicy WS-Federation WS- SecureConversation WS-Trust WS-Authorization WS-Security Profile for XML-based Tokens WS-Policy WS-Privacy WS-Security (Framework) SOAP/XML Foundation (SSL, Digital signatures, encryption, …)
SOAP/XML Foundations • SSL/TLS – Current means to exchange messages at various levels of security • XML Digital Signatures – Sign portions of an document … relative to authentication and non-repudiation • XML Encryption – Using ciphers to make portions of a document unavailable to 3rd parties
SOAP/XML Foundations • SAML – Markup language for exchanging security related assertions about a document, its source and recipients. • XACML – Exchanging access control information using SAML. • XCBF - Defining secure XML encodings for the Common Biometric Exchange File Formats (NISTIR 6529). • XrML – Rights markup language • …(see http://www.oasis-open.org/committees/security-jc/)
WS Security Model Terminology • Web Service - Application components whose functionality and interfaces are exposed through XML, SOAP and WSDL • (Signed) Security Token - A security token that is asserted (and cryptographically endorsed) by a specific authority • Claim - A statement a client makes (e.g. name, identity, key, group, privilege, capability, etc). • Claim Requirements - Requirements for the claims a client makes with an invocation to the Web Service. • Subject - A principal (e.g. a person) about which the claims expressed in the security token apply
WS Security Model Terminology • Subject - A principal (e.g. a person) about which the claims expressed in the security token apply • Proof-of-Possession - Used to demonstrate the sender's knowledge of information that SHOULD only be known to the sender of a security token. • Intermediaries - Parties that perform actions such as routing a SOAP message or even modifying the message. For example, an intermediary may add headers, encrypt or decrypt pieces of the message, or add additional security tokens. • Actor - An intermediary or SOAP endpoint which is identified by a URI and which processes a SOAP message.
WS Security Model • Todays technologies offer network and transport layer security • IPsec, SSL, TLS • SOAP message model operates on logical endpoints, often via multi-hop with intermediaries • Need for SOAP message-level end-to-end security Security Context Requestor Intermediary Web Service
WS Security Token Service Model • Web Service requires a set of claims • If message arrives without needed claims -> reject or ignore message • Requestor send proof of claims by associating security tokens with message • Security tokens may be obtained from security token services (Web Services) Security Token Claims Claims Security Token Service Policy Policy Policy Requestor Web Service Security Token Security Token Claims Claims Claims Claims
WS-Security • Describes SOAP header enhancements to provide message integrity and confidentiality • By leveraging XML Signature and XML Encryption • Provides general purpose mechanism to attach security tokens to messages • No specific type of security token mandated • Support for multiple security token formats • Support for specifying binary security tokens like X.509 certificates or kerberos tickets • Specifies encoding for binary security tokens, especially X.509 certificates and Kerberos tickets • Working Draft 8 - 12/12/2002 • See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp
WS-Policy • Framework for web services to specify their requirements and capabilities • Defines: • Header element for carrying domain-specific policy declarations • Operators for combining policies • Connecting policies to their targets • See ftp://www6.software.ibm.com/software/developer/library/ws-policy.pdf • Public draft – 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-PolicyAssertions • Defines basic assertions needed to enable Web services applications • TextEncoding – what character sets are supported • Language – what locales are supported (xml:lang) • SpecVersion • MessagePredicate – preconditions for an invocation • … • See http://www.verisign.com/wss/WS-PolicyAssertions.pdf • Public draft - 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-SecurityPolicy • Defines extensions to WS-Policy for describing the security properties of a Web Service • Policy Assertions • Security Token requirements • Encoding formats • Supported algorithms • See http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-securitypolicy.asp • Public draft - 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-PolicyAttachments • Defines how policies are attached to existing XML Web service technologies. • To specific documents – elements may use an attribute to point at policy statements • To WSDL definitions – defines how these policy attributes are interpreted for WSDL definitions • To UDDI entities – tModel defined for declaring service uses policy declarations • See ftp://www6.software.ibm.com/software/developer/library/ws-policyattachment.pdf • Public draft - 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-Trust • Describes model on how to establish trust relationships • Direct • Brokered • Via third parties and intermediaries • Defines Security Token Service (Web Service) • Request/obtain security tokens • Validate security tokens • Trust Management (non-normative) • Fixed trust roots • Trust hierarchies • Authentication service • See http://www.verisign.com/wss/WS-Trust.pdf • Public draft - 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-SecureConversation • Describes how to • Authenticate requestor • Authenticate services • Establish mutually authenticated security context • Establish session keys • Derived keys • Per-message keys • See http://www.rsasecurity.com/solutions/web-services/specifications/WS-SecureConversation.pdf • Public draft - 12/18/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-Security Profile for XML-based Tokens • Defines a framework for using XML-based security tokens with WS-Security • SAML binding • XrML binding • See http://www-106.ibm.com/developerworks/library/ws-sectoken.html • Public draft - 8/28/02 PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-Privacy • Defines how a Web Service implements privacy • Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap) • Privacy demo in IBM’s Web Services Toolkit supports P3P rules in a WS-Policy type format. PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-Federation • Defines how to manage and broker trust relationships in a heterogeneous federated environment including support for federated identities. • Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap) PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
WS-Authorization • Describes how the Web Service manages authorization data and policies • Referenced from other security documents (e.g. Security in a Web Services World: A Proposed Architecture and Roadmap) PolicyAttachments PolicyAssertions SecurityPolicy Federation SecureConversation Trust Authorization XML Token Profile Policy Privacy WS-Security SOAP/XML Foundation
Web Service Security Layers Standard Draft Standard Proposal Expected WS-PolicyAttachments WS-PolicyAssertions WS-SecurityPolicy WS-Federation WS- SecureConversation WS-Trust WS-Authorization WS-Security Profile for XML-based Tokens WS-Policy WS-Privacy WS-Security (Framework) SOAP/XML Foundation (SSL, Digital signatures, encryption, …)