Secure Web Services

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies

Legend Security Layer Existing Standard Implemented Standard Implemented in additional product

Security Standards for WS Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Popular Solutions • Microsoft WCF • Sun Metro (JAX-WS + JAXB + WSIT) • Apache Axis2 (Rampart + Rahas + Sandesha2) • Apache CXF (based on JAX-WS) More: • IBM WebSphere • WSO2 Web Service Framework • BEA WebLogic

Microsoft WCF Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Sun Metro Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Apache Axis2 Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Apache CXF Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Common WS-* Stack • WS-Addressing • WS-Security: SAML, X.509 • SAML includes XML Encryption and XML Signature • WS-Trust (except Apache CXF) • WS-Security Policy (except Apache) • WS-Policy (except Apache Axis2) • WS-Secure Conversation (except Apache CXF) • WS-Reliable Messaging

GSI Secure Context WS-SecureConversation (IBM) Reliability WS-Reliability (OASIS) WS-Reliable Messaging (OASIS) Trust WS-Trust (OASIS) XKMS (W3C) WS-Federation (IBM) IDFF Shibboleth Policy WS-Policy (W3C) WS-Security Policy (OASIS) Resource XACML (OASIS) RBAC (NIST) EPAL (IBM) SOAP WS-Security (OASIS) WS-Addressing (W3C) U/P SAML X.509 Kerberos REL XML XML Encryption (W3C) XML Signature (W3C)

Secure Web Services