Beruflich Dokumente
Kultur Dokumente
Suresh Inavolu
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Why Web services security
1) Read the message pin number of Customer1
2) Change the message send money to CustomerX
3) Create a new message and send it as if Customer1 is
<Request
requesting.
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
Security terms
1) Confidentiality None, other than the receiver, can understand the message
2) Integrity The message has not been changed in between
3) Authentication The message is send the original sender
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Cryptography
Share key encryption
o Also called Symmetric key encryption
Different keys
(Only private key is
kept secret)
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Signatures
Used for authentication and data integrity.
Digital signatures
o Encrypt the hash of the message using private
key
Digital Signature
<Request <Request
custId=Customer1 custId=Customer1
pin=myQw6k3z> pin=myQw6k3z>
<SendMoney <SendMoney
to=Customer2 to=Customer2
amount=10000/> amount=10000/>
</Request> </Request>
m1eRh4!pQ(zcB6
50920620636403163 m1eRh4!pQ(zcB6
m1eRh4!pQ(zcB6 50920620636403163
<Policy> <Policy>
<ExactlyOne> <ExactlyOne>
<All> <All>
<wsap:UsingAddressing/> <sp:TransportBinding>...</sp:TransportBindig>
<sp:TransportBinding>...</sp:TransportBindig> </All>
</All> <All>
<All> <sp:TransportBinding>...</sp:TransportBindig>
<wsap:UsingAddressing/> <wsap:UsingAddressing/>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </All>
</All> </ExactlyOne>
<All> </Policy>
<mtom:OptimizedMimeSerialization/>
<wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig>
</All>
<All>
<mtom:OptimizedMimeSerialization/>
<wsap:UsingAddressing/>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</All>
</ExactlyOne>
WS-PolicyAttachment
To attach a Policy to a WSDL document
o Using PolicyReference tag (RECOMMENDED)
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface" >
<wsp:PolicyReference URI="#secure" />
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyURIs attribute
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface"
wsp:PolicyURIs=www.localhost:8080/policies/policy.xml#secure" >
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyAttachment
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:fabrikam="" >
<wsa:Address>http://www.fabrikam123.example.com/acct</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsp:PolicyReference URI=#secure" />
</wsp:PolicyAttachment>
Effective Policy
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-SecurityPolicy
Standard way to define how to secure
messages exchanged between Web services
and clients
Used to publish security requirements and
constrains of a Web service using the WSDL
specification
Assertions: Security binding assertions,
Protection assertions, Token assertions,
Protocol assertions
Sonic Create policy wizard
Security Binding
Assertion
Protection Assertion
<wsp:Policy>
<sp:X509Token IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
Protection Assertions
Defines which message parts or SOAP headers are protected
Sample WS Policy
<wsp:Policy wsu:Id="TransferMoney"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >
<wsp:ExactlyOne>
<wsp:All alternative-id="TransferMoneyAlternative">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:IncludeTimestamp></sp:IncludeTimestamp>
<sp:EncryptBeforeSigning></sp:EncryptBeforeSigning>
<sp:Layout>
<wsp:Policy>
<sp:Lax></sp:Lax>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15></sp:TripleDesRsa15>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never'></sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts>
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Conclusion