250 likes | 406 Views
Using WSS4J and Axis to Secure Web Services in the U. S. Government. Kevin T. Smith Technical Director, McDonald Bradley Inc. Agenda. Introduction Part 1 – Web Services Security Implementation for the Government’s Horizontal Fusion Program
E N D
Using WSS4J and Axisto Secure Web Servicesin the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc.
Agenda • Introduction • Part 1 – Web Services Security Implementation for the Government’s Horizontal Fusion Program • Part 2 – Web Services Security for a Not-To-Be-Named Current Government Program • Part 3 – Resources, code, etc.
Introduction • Kevin T. Smith • Director of SOA & Semantics Security Team (S3T) at McDonald Bradley • Focused on Information Assurance & SOA • Author/Co-Author of Several Technology Books and Articles • Contact Info: • ksmith@mcdonaldbradley.com or • kevintsmith@comcast.net
What is Horizontal Fusion (HF)? • From Web Site (http://www.horizontalfusion.dtic.mil/) : • “As an award-winning effort consistent with the goals and guidance for military transformation, Horizontal Fusion has been organized to focus technology on the information-sharing challenges of net-centric warfare and to demonstrate innovation and benefit quickly…” • “Horizontal Fusion deploys web-services to leverage existing and emerging technologies in a secure environment.” • From A Technology Perspective: • Lots of Data, Everything exposed as web services • Large amount of data, many participants, large amount of services • Much web service chaining, federated search capabilities • Government requirements mandated very strong security
HF Technology History • 2003 – Initial Phase, Deployment of Many Web Services • 2004 - Developed Security Toolkit using Apache WSS4J & Apache Axis handlers • Done for Axis 1.1 and 1.2 • Used WSS4J “snapshot” at that point + OpenSAML (updated WSS4J in early ’05) • 2004-Present : In Production
HF Message Format:NCES Security SOAP Messaging Net-Centric Enterprise Services http://www.disa.mil/main/prodsol/cs_nces.html
SAMLAssertion Authentication Statement Subject Security Roles Attribute Statement Subject Clearance Attribute Statement Subject Message Label Attribute Statement Use of SAML for Access Control In Request: • For Message Requests: • Security Roles of the User is sent in SAML in the SOAP Header • The Clearance of the Subject is sent in SAML • The Security Label of the Subject’s Request is also in SAML • For Message Responses: • The Security Label of the Response is set by the Web Service • The Server Handler Response Controls Access Based On The Label That Was Returned By the Web Service • If Label is Authorized for User, Server Handler Creates The Return Message, entering Security Label ofthe Message, and Digitally Signing The Message Before It is returned to the Requester In Response: SAMLAssertion Subject Message Label Attribute Statement
Back to Message Format: Use of SAML for Access Control • If SAML contains attributes • And local policy is expressed, • “local” PDP was used • -If SAML contains only identity, • “central” PDP was used
About Our Use of Axis Handlers • Security Handlers create secure messages • A Client Handler (on request) adds a WS-Security Header with a SAML Assertion on behalf of a subject (the user) (Client RequestFlow) • A Server Handler (on response) creates a WS-Security Header on behalf of the Web Service (Server Response Flow) • Security Handlers validate messages • A Server Handler (on request) validates a web service message, can control access by role – before the web service is called (Server RequestFlow) • A Client Handler (on response) validates the message created by the web service (Client Response Flow) Web Service Web Service Client Client Handler Server Handler
WS Client creates a “SecurityInfo” object and places it in the MessageContext for Apache Axis to use SecurityInfo object contains information about the Message being sent and the Subject for which the message is being sent Simple Example of Instantiating SecurityInfo: Examples of Passing the information to Axis: • VersionServiceLocator vsl = new VersionServiceLocator(); • Stub stubby = (Stub)vsl.getVersion(); • stubby._setProperty("SECURITY_INFO", sinfo); • Version v = (Version)stubby; • System.out.println(v.getVersion()); • javax.xml.rpc.Call call = vs.createCall(new QName(NS,port), "getVersion"); • call.setProperty("SECURITY_INFO", sinfo) • System.out.println(call.invoke(null)); Web Service Client Requests WS Client • SecurityInfo sinfo = new SecurityInfo("cn=Kevin T. Smith, o=McDonald Bradley, c=US"); • sinfo.addRole("user.operator"); • sinfo.addRole("user.analyst"); • sinfo.addSubjectClearanceDataItem("S"); • sinfo.addSubjectCitizenshipDataItem("USA"); • sinfo.addMessageClassificationDataItem("S");
Axis Client Request Flow Client Handler WS Client • Client Handler intercepts the message as part of the Axis Handler Chain • Client Handler pulls the SecurityInfo object from the MessageContext • SecurityInfo = (SecurityInfo)messageContext.getProperty(“SECURITY_INFO”); • Client Handler builds the WS-Security Header with WSS4J • Adds unique MessageId • Adds Timestamp • Adds SAML Assertion with data from SecurityInfo object. • Signs MessageId, Timestamp, SAML Assertion, and Message Body with certificate to create NCES Security-Compliant Message
Axis Server Request Flow Client Handler Server Handler WS Client WS • Server Handler intercepts the request message as part of the Axis Handler chain • Access Control: • Calls a service to check revocation status of certificate • Validates the signatures on the message • Verifies the Timestamp is within a configurable window & verifies that messageID has not been previously used to prevent replay attack • Determines if Subject can access this Service, based on attributes in SAML assertion & locally expressed policy, or via a call to Policy Service • If any of these fail, throws a SOAP fault • Creates a SecurityInfo object from the SAML assertion passed in • Web Service gets the message
Axis Server Response Flow Client Handler Server Handler WS WS Client • After processing the request, Web Service creates a SecurityInfo object for the label of the data and places it in the MessageContext before sending the response message. • Axis Server Handler intercepts the message as part of the Axis Handler chain. • Determines if the message contains a SOAP Fault. If so, it stops processing • It creates a NCES Secure message, but the SAML assertion now has the label of the data (no user information)
Client Response Flow Client Handler Server Handler WS WS Client • Response from server is intercepted by the Client Handler as part of the Axis Handler chain • If SOAP Fault is found in the message no authentication of message is done • Calls a service to check revocation status of certificate • Signature on MessageId, Timestamp, SAML Assertion, and Message body is verified. • MessageId uniqueness is verified. • Timestamp is validated against allowed window. • Message is returned to client for processing.
CVS PDS 4. 1. 5. 10. 2. 12. SWS Provider 9. Portal 3. 8. Client Handler Client Handler Server Handler Server Handler 6. IFIS 11. 7. 17. 18. 20. 14. 16. 13. 19. 15. Common Usage Example CVS
Use of WSS4J in Axis Handlers • Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) • Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: • /* Create a WS-Security header in original document*/ • Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); • /* Add more stuff to security header.. (left out for brevity)*/ • /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ • /* Now, sign parts.. */ • Vector signParts = new Vector(); • WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); • signParts.add(samlP); • WSSignEnvelope signer = new WSSignEnvelope(); • signer.setKeyIdentifierType(m_keyid); • signer.setUserInfo(alias, pass); • signer.setParts(signParts); • Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); • /* On validate.. */ • WSSecurityEngine engine = new WSSecurityEngine(); • engine.processSecurityHeader(doc, null, null, crypto);
Web Service Approach to Labels and Mandatory Access Control • MAC enforcement functionality at the Handler Level • On Request: • Authenticating Web Service Client sets clearance and citizenship of user and security label of message • Client Handler adds this to the message before signing It • Web Service Server Handler controls access based on message label, security label – based on “high water mark” of intended web service • Web Service, before it responds, can set a security label on response message • On Response: • Server Handler gets security label of message from WS returning data • Server Handler controls label access based on user’s clearance, and the security label of message • Server Handler creates message with label • Client Handler validates message • Web Service Client Gets Response
Use of WSS4J in Axis Handlers • Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) • Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: • /* Create a WS-Security header in original document*/ • Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); • /* Add more stuff to security header.. (left out for brevity)*/ • /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ • /* Now, sign parts.. */ • Vector signParts = new Vector(); • WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); • signParts.add(samlP); • WSSignEnvelope signer = new WSSignEnvelope(); • signer.setKeyIdentifierType(m_keyid); • signer.setUserInfo(alias, pass); • signer.setParts(signParts); • Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); • /* On validate.. */ • WSSecurityEngine engine = new WSSecurityEngine(); • engine.processSecurityHeader(doc, null, null, crypto);
Original Code on HF Web Site • Code with ANT build, examples, sample keystores was put on government site in 2004 • http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip
Security Architecture • Mutual SSL authentication between browser and web application to authenticate user identity • 2-way SSL between web application and web services to assert message sender identity • X.509 Certificate in WS-Security header used to assert user identity • WS using another security framework on back-end, but needed something on client side: Tomcat & Axis & WSS4J
A Glance at Axis/WSS4J Code //In Servlet/JSP code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); //.. //Put that in the property Axis uses VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("CLIENT_CERT", certs[0]); //passes in the X509Certificate object Version v = (Version)stubby; System.out.println(v.getVersion()); //In client request handler: X509Certificate cert = (X509Certificate)inoutContext.getProperty("CLIENT_CERT"); /* Make a binarySecurityToken element */ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document doc = builder.newDocument(); org.apache.xml.security.Init.init(); X509Security binaryToken = new X509Security(doc); binaryToken.setX509Certificate(cert); /* Now create a WS-Security Header, and put the Binary Token Under It */ WSSecHeader wsh = new WSSecHeader(); wsh.setMustUnderstand(false); Element e = wsh.insertSecurityHeader(origDoc); Node dup = origDoc.importNode(binaryToken.getElement(), true); e.appendChild(dup); Message newMsg = (Message)toSOAPMessage(origDoc); inoutContext.setRequestMessage(newMsg);
Conclusion • We found that WSS4J and Apache Axis were easy to use to build a complex Web Services Security Solution • Interoperability issues – • Originally (in early 2004) WS-Security namespace changes made interoperability difficult • Now, no such problems – interoperates with .NET solutions, and Axis client handler with WSS4J in current project interoperates well with BEA weblogic ALSB security subsystem.