1 / 23

Interoperability Secure and safe: Applied Web Services Security between Java and .NET

Interoperability Secure and safe: Applied Web Services Security between Java and .NET. Christian Weyer thinktecture christian.weyer@thinktecture.com. Christian Weyer and thinktecture. Support and consulting services for software developers and architects on the .NET platform

lulu
Download Presentation

Interoperability Secure and safe: Applied Web Services Security between Java and .NET

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. InteroperabilitySecure and safe: Applied Web Services Security between Java and .NET Christian Weyerthinktecturechristian.weyer@thinktecture.com

  2. Christian Weyer and thinktecture • Support and consulting services for software developers and architects on the .NET platform • Renowned experts in today’s technologies • We track future technologies and work closely with Microsoft • My area of expertise are distributed applications, Web Services in particular, Web Services interoperability and all things service orientation • christian.weyer@thinktecture.com

  3. Agenda • Web Services & Service Orientation in 5 Minutes • Transport Security vs. Message Security • Security Tasks • Web Services Enhancements for .NET • Java Apache Axis WSS4J • Recommendations

  4. Web Services & Service Orientation • There is more to Web Services than ‘Simple Object Access Protocol’ • Abstractions, decoupling, evolvability • Factors for successful and evolvable applications & architectures • Service-oriented principles • Boundaries are explicit • Services are autonomous • Services share schema and contract, not types • Compatibility/Behavior is based upon policy • Service-oriented thinking and methods are best realizable with the Web Services stack

  5. Web Services Protocols ( WS-* ) Applications & Application Infrastructure Connected Applications BusinessProcess … Management Security Reliability Transactions Metadata Foundation Messaging XML … HTTP TCP SMTP Transports

  6. WS-* Composable Architecture Applications & Application Infrastructure Connected Applications BPEL4WS … MDX WS-Security, WS-Trust, WS-Federation WS-Coordination, WSAT, WS-BA WS-ReliableMessaging WS-Policy, WSDL, WXS, WS-Discovery Foundation SOAP, WS-Addressing, MTOM, WS-Eventing XML 1.0 Namespaces,Infoset, DSIG, XMLENC … HTTP TCP SMTP Transports

  7. Web Service Security Foundations • Authentication – who are you? • Authorization – what are you allowed to do? • Secure Communication • Confidentiality – can anyone else understand what your saying? • Integrity – has the message been tampered with?

  8. Protocol-Level Security • SSL is a great example • Sender must trust intermediaries. • Include Soap Routers, Dispatchers, etc… • Message decrypted at intermediaries • Encrypts the entire message • Restricts protocols that can be used Encrypted Encrypted

  9. Message-Level Security • End-to-end message security independent of transport • Supports multiple protocols and multiple encryption technologies • Can encrypt parts of the message • For the intermediary and/or ultimate receiver independently • Sender needs to only trust the ultimate receiver • The signature is stored with the data • The message content on the wire includes integrity

  10. Cryptography Review

  11. private Creating A Digital Signature Message or File 128 bits Message Digest Digital Signature Using a toolkit Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Jrf843kjfgf*£$&Hdif*7oUsd*&@:<CHDFHSD(** AsymmetricEncryption Hash Function (SHA, MD5)

  12. ? == ? Are They Same? public Verifying A Digital Signature Digital Signature Jrf843kjfgf*£$&Hdif*7oUsd*&@:<CHDFHSD(** Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Asymmetric Decryption Sent with message Original Message Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Same Hash function Using a toolkit

  13. public Message Encryption - Sender Receiver's Public Key Encrypted Key Generated Key Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Symmetric Encrypt Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Using a toolkit Encrypt

  14. Symmetric public Message Encryption - Receiver Receiver's Private Key Encrypted Key Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Decrypt WSE provides great security for services Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Decrypt

  15. WS-Security • A framework for building security protocols • Integrity • Confidentiality • Propagation of security tokens • Supports end-to-end SOAP message security • Supports multiple intermediaries • Independent of underlying transport • Support for pluggable algorithms • Encryption, Digest, Signature, Canonicalization, Transforms

  16. Security Tokens • Tokens assert claims about identity, capability, privileges Unsigned Proof of Possession … Username Signed Secret/Shared Key Kerberos X.509 Password … Security Context XrML SAML

  17. Defining Security Policy • WS-Policy is an XML syntax to describes the requirements of a service • Higher level than WSDL • Policy can be applied on the send side or receive side • Reduces the amount of code developers need to write

  18. WSE • Microsoft Web Services Enhancements (WSE) • Enhances the current Web Services stack (ASMX) • WS-Security, WS-SecureConversation, WS-Trust, WS-Policy • Versions: 2.0 SP3 and 3.0 Beta 1

  19. WSE Input Pipeline WSE 2.0 Runtime Network SoapContext HTTP TCP Custom token handlers Security Policy Cache Custom policy handlers Policy Other Filters User Code IIS Thread or custom EXE

  20. Apache WSS4J • AXIS • No.1 Java Web Services stack, currently 1.21 • Implements XSD 1.0, SOAP 1.1, WSDL 1.1 • Also available for C++ wonks • WSS4J • Add-On to Java Axis • Implements OASIS WS-Security • OASIS Web Serives Security: SOAP Message Security 1.0 Standard 200401, March 2004 • Username Token profile V1.0 • X.509 Token Profile V1.0

  21. Axis and WSS4J SOAP TransportListener Client Application WebService AxisClient AxisServer WSS4J Sender (Encryption and/or DigSig) WSS4J Receiver (Decryption and/or Sig Verification)

  22. Recommendations • Do I need security? Which flavor? • Consider carefully: message vs. transport security • Message security may be expensive • Interop efforts are ongoing – not yet perfect • Next generation stacks (like Microsoft’s WCF or next version of WebSphere) will augment the level of interop

  23. { } In-depth support and consulting for software architects and developers http://www.thinktecture.com/ christian.weyer@thinktecture.com

More Related