1 / 13

Web Service Security

Web Service Security. Akylbek Zhumabayev September 2008. Agenda. Security Fundamentals Web Service (WS) Transport vs. Message Interoperability Open Standards WS Architecture Implementations WS-I Conclusion. Security Fundamentals. Cryptography: Symmetric vs. Asymmetric

montana-irwin
Download Presentation

Web Service Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Service Security Akylbek Zhumabayev September 2008

  2. Agenda • Security Fundamentals • Web Service (WS) • Transport vs. Message • Interoperability • Open Standards • WS Architecture • Implementations • WS-I • Conclusion

  3. Security Fundamentals • Cryptography: Symmetric vs. Asymmetric • Hash, Digest, Signature, Certificate • “In-depth” strategy • Security Dimensions • Confidentiality • Integrity • Authentication • Authorization • Logging

  4. Web Service (WS) • SOA – loose coupling (opposite RPC) • SOAP Web Service: • Language: XML • Message Protocol: SOAP • Transport Protocol: HTTP • Service Description Format: WSDL • Service Discovery Protocol: UDDI

  5. Transport vs. Message Communication security • Transport: full encryption, fast • Message: supports intermediate nodes WS Client SOAP Message Layer Transport Layer

  6. Interoperability • XML and SOAP is not enough • OASIS and W3C developed open standards • WS-I manages applying of standards: • Basic Profile 1.2 (now 2.0 in progress) • Basic Security Profile 1.1 (in progress) • WSIT: Sun + Microsoft = 100% compatible • Java-based solutions: JAX-RPC -> JAX-WS

  7. Open Standards Main WS Standards Main WS Security Standards HTTP SOAP WSDL UDDI WS-Addressing XML-Encryption XML-Signature WS-Security WS-Trust WS-Policy

  8. WS Architecture WS-Federation WS-SecureConversation WS-Trust Communication Layers (like onion) Resource WS-Security, SAML WS-Addressing, MTOM SOAP XML HTTP Security Layer Supporting Layer Protocol Language Base Layer WS-SecurityPolicy, XACML WS-Policy WSDL XML File System

  9. Implementations • Microsoft: • Windows Communication Foundation (WCF) • Java-based (open-source): • Sun WSIT • Apache Axis2 • Apache CXF • Other proprietary or featured solutions

  10. Java-based WS Application Server Metro Geronimo WSO2 Spring WS Framework WSIT Axis2 CXF HTTP Server Glassfish Java 6 Tomcat Jetty Axis

  11. WSI Basic Profile 2.0 • HTTP/1.1 • TLS 1.0 • SSL 3.0 • XML 1.0 • SOAP 1.2 • WSDL 1.1 • UDDI 2.04 • WS-Addressing 1.0

  12. WS-I Basic Security Profile 1.1 • WS-I Basic Profile 1.1 • Simple SOAP Binding (SSBP) 1.0 • Attachment Profile (AP) 1.0 • XML-Signature • XML-Encryption • WS-Security 1.1

  13. Conclusion • SOAP WS over HTTP is still popular • Too many WS standards • Java-based solutions have many scenarios • Insecure WS solutions are compatible • Secure WS solutions are not 100% compatible

More Related