300 likes | 443 Views
Web Service Security Through A Guard. Roxanne Yee Home Institution: University of Hawai ʻ i at Mānoa Internship Site: Akimeka, LLC Mentor: Marc Lefebvre Advisor: Todd Lawson. Presentation Overview. Project Hierarchy and Motivation Background and Terminology Guard Web Service Security
E N D
Web Service Security Through A Guard Roxanne Yee Home Institution: University of Hawaiʻi at Mānoa Internship Site: Akimeka, LLC Mentor: Marc Lefebvre Advisor: Todd Lawson
Presentation Overview • Project Hierarchy and Motivation • Background and Terminology • Guard • Web Service Security • My Specific Part • Test Bench • An Example • Questions
Information Assurance (IA) Group • Cross Domain Solutions (CDS) Group • GWSG (Global Web Services Gateway) Project • Service Oriented Architecture (SOA) Test Lab • Customers • National Security Agency (NSA) • Defense Information Systems Agency (DISA)
GWSG Project Motivation • Goal • To enhance the capabilities of a user on a classified network to gain immediate access to data available on an unclassified network Classified Network User Unclassified Database
Classified Database Unclassified Database Classified Network User (Soldier) Sneaker-net GWSG Project Motivation • One Method Currently Used To Access Data
GWSG Project Motivation • Disadvantages to Current Methods • Redundancies of Data • Time Costly • Replication • Transportation • Need For Data Synchronization • Frequent Updates • No Guarantee of Data Availability • Extra Manpower by Man-In-The-Loop
GWSG Project Motivation • New Cross Domain Solution (CDS) • Web Services Technology Unclassified Database Classified Network User (Soldier) Guard
SOA Test Lab Component • Goal • Evaluate Guards Specified by NSA and DISA • Compare capability and effectiveness to process message formats used by web services today • Provide the best guard solution given a specific situation in which the guard would be applied
My Part In The SOA Test Lab • Research and Document How To Implement Web Service Security • Controlled and Predictable Environment • Test Web Service • Findings To Be Used In SOA Test Lab • Foundation • Template
WSS, SOAP, and HTTP • WSS or WS-Security (Web Service Security) • OASIS (Organization for the Advancement of Structured Information Standards) • Applied to SOAP Messages • SOAP (Simple Object Access Protocol) • Message Format • HTTP (Hypertext Transfer Protocol) • Transport Protocol
The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Request and SOAP Response
The Project: Open-Source Software • Server Side • Tomcat 6.0.16 • Axis2 1.4 • Rampart 1.4 • Client Side • soapUI 2.0.2
The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Request with WSS
soapUI Outgoing Configuration Interface Used to Apply WSS to Request To Server
A SOAP Message Request w/o WSS <soap: Envelope xmlns:soap=“http//sample01.policy.samples.rampart.apache.org” xmlns:sam=“http://www.w3.org/2003/05/soap-envelope”> <soap:Header/> <soap:Body> <sam:echo> <!--Optional:--> <sam:param0>Hello?</sam:param0> </sam:echo> </soap:Body> </soap:Envelope> Usual Request soapUI Sends w/o WSS
A SOAP Message Request Header with WSS <soap:Header> <wsse:Security soap:mustUnderstand=“true” xmlns:wsse=“http://…secext-1.0.xsd”> <wsse:UsernameToken wsu:Id=“UsernameToken-22786527” xmlns:wsu:=“http://…utility-1.0.xsd”> <wsse:Username>alice</wsse:Username> <wsse:PasswordType=“http://... wss-username-token- profile-1.0#PasswordText”>bobPW </wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> Additional WSS Informational Applied To Usual Request soapUI
The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Response with WSS
services.xml Without Rampart <?xml version="1.0" encoding="UTF-8"?> <service> <operation name="echo"> <messageReceiver class= "org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false"> org.apache.rampart.samples.policy.sample01.SimpleService </parameter> <module ref="addressing" /> <!-- RAMPART CONFIGURATION MAY OCCUR HERE --> </service> Usual Configuration Scheme For A Service on The Server
services.xml with Rampart <module ref="rampart" /> <wsp:Policy wsu:Id="UT" xmlns:wsu="http://…” xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All> <sp:SupportingTokens xmlns:sp="http://…/securitypolicy"> <wsp:Policy><sp:UsernameToken sp:IncludeToken= "http://…/IncludeToken/AlwaysToRecipient"/> </wsp:Policy> </sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://…> <ramp:user>username</ramp:user> <ramp:passwordCallbackClass> org.apache.rampart.samples.policy.sample01.PWCBHandler </ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All></wsp:ExactlyOne></wsp:Policy> Additional Code To Tell Rampart What Type of WSS To Expect
The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Messages with WSS
Classified Unclassified XML Firewall Guard XML Firewall * SOAP over HTTP with WSS * Proprietary Format over Proprietary Protocol The Project: Ultimate Purpose Client (soapUI) Server (Axis2) localhost
WSS Mechanisms Attempted • User Name Token • Username and Password • Timestamp • Time to Live • Encryption • Confidentiality • Signature • Integrity and Authentication
An Example: Test Web Service Client “Hi!” Server “Hi!”
An Example: Valid User Name Token Client Correct Username And Password Server Echo
An Example: Invalid User Name Token Client Incorrect Username And/Or Password Server Error
Acknowledgements VP Operations Matt Granger Program Manager Todd Lawson Mentor Marc Lefebvre GWSG Bryan Berkowitz Casey McGinty Scott Oshita Christopher Paris Derek Terawaki Helpful Coworkers Conrado Cortez Deanna Garcia Mark Mizubayashi Former Cubiclemates Ellen Federoff Kelly Ledford And Everyone Else Who Made Me Feel Welcome!
Acknowledgements Maui Akamai Internship Program Funding Center for Adaptive Optics (CfAO) • National Science Foundation and Technology Center Grant (#AST-987683) Akamai Workforce Initiative • National Science Foundation Grant and Air Force Office of Scientific Research Grant (#AST-0710699) • University of Hawaiʻi Grant Program Staff Lisa Hunter Lani LeBron Scott Seagroves Lynne Raschke Short Course Instructors Dave Harrington Ryan Montgomery Isar Mostafanezhad Mark Pitts Sarah Sonnet And Everyone Else Who Contributed To This Valuable Experience!
Thank you! Any Questions?