SOA and Web Service Security. A Problem

Similar documents
Copyright 2012, Oracle and/or its affiliates. All rights reserved.

The increasing popularity of mobile devices is rapidly changing how and where we

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

This Working Paper provides an introduction to the web services security standards.

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Securing Web Services From Encryption to a Web Service Security Infrastructure

Flexible Identity Federation

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

PowerCenter Real-Time Development

Agenda. How to configure

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Tech Titans: Lock it down, securing your Costpoint 7 deployments. Drew Roman, IT Solutions Director WJ Technologies L.L.C. GC-518

The Role of Identity Enabled Web Services in Cloud Computing

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Mobile Security. Policies, Standards, Frameworks, Guidelines

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Gateway Apps - Security Summary SECURITY SUMMARY

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Biometric Single Sign-on using SAML Architecture & Design Strategies

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

How To Use Saml 2.0 Single Sign On With Qualysguard

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

17 March 2013 NIEM Web Services API Version 1.0 URI:

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

How to Implement Two-Way SSL Authentication in a Web Service

TIBCO ActiveMatrix BPM Single Sign-On

Authentication and Single Sign On

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Security Assertion Markup Language (SAML)

An Oracle White Paper Dec Oracle Access Management Security Token Service

JVA-122. Secure Java Web Development

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Federated Identity Opportunities & Risks

Secure Identity in Cloud Computing

SAML-Based SSO Solution

Configuring EPM System for SAML2-based Federation Services SSO

TIBCO ActiveMatrix BPM Single Sign-On

Architecture of Enterprise Applications III Single Sign-On

Perceptive Experience Single Sign-On Solutions

SAML-Based SSO Solution

IBM Tivoli Federated Identity Manager

The Florida Department of Education s Single Sign-On Solution. July - August 2012

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Web Based Single Sign-On and Access Control

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

PARTNER INTEGRATION GUIDE. Edition 1.0

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

CS 356 Lecture 28 Internet Authentication. Spring 2013

SAP NetWeaver AS Java

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Building Secure Applications. James Tedrick

SAML SSO Configuration

HP Software as a Service. Federated SSO Guide

Implementation Guide SAP NetWeaver Identity Management Identity Provider

CA Performance Center

WebLogic Server 7.0 Single Sign-On: An Overview

How To Configure SAML Authentication for SAP NetWeaver Process Integration 7.1

Crawl Proxy Installation and Configuration Guide

Copyright: WhosOnLocation Limited

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

TIBCO Spotfire Platform IT Brief

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

<Insert Picture Here> Oracle Web Services Manager (WSM)

Using SAML for Single Sign-On in the SOA Software Platform

Biometric Single Sign-on using SAML

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Privacy in Cloud Computing Through Identity Management

Transport Layer Security Protocols

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

External Authentication with WebCT. What We ll Discuss

Lecture Notes for Advanced Web Security 2015

How-to: Single Sign-On

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

How to Implement Enterprise SAML SSO

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

T his feature is add-on service available to Enterprise accounts.

Extending DigiD to the Private Sector (DigiD-2)

SAML Security Option White Paper

SAML and OAUTH comparison

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SAML Implementation Guidelines

Transcription:

SOA and Web Service Security A Problem Service-Oriented Architecture shift development focus from applications to services. Multiple applications can call the same services instead of copy/paste/modify their code. The problem is that exposed services can be called not only by legitimate applications. Being outside of application umbrella, exposed services need secure protection. Another legitimate application A legitimate application Services Hacker applications

SOA and Web Service Security Solution What: Service request must include: - Secure identification of an application requested a service - Prove that the application has the proper access rights - Prove that the data are protected and have not been changed How: Multiple layers of security provide better security. Using SSL over HTTP we ensure that all messages are encrypted This means that web users will access applications with the URL that starts with HTTPS: and served by the SSL port (usually 443) Another layer is to protect users from authentication fraud by establishing rules for password encryption and change password functionality. Working in Java environment, it is recommended to use Java encryption library and proven encryption mechanisms, versus homegrown encryption algorithms. Establish a single Security Guard protecting services deployed at multiple locations.

Web Service Security Guard A proxy web server is a single point of access for multiple internal and external consumers accessing multiple web services Proxy Web Server Security Guard Security Mechanisms: SSL Certificate and more Web Services deployed at Oracle Web Services deployed at Tibco platform Web Services deployed at WebLogic platform

How to access web services from Java applications 1. Use the keytool (from the java/bin directory) to import a certificate (for example, itsint_cert1.cer) into the Java keystore prompt>keytool -import -noprompt -keystore C:\java\jdk\jre\lib\security\cacerts -storepass changeit -file c:\temp\itswsint_cert1.cer -alias itsws 2. Include the HTTPS URL in the command line of a Java application (for example, starting the batch file) prompt>authclientxfire.bat https://tst.javaschool.com/authservice getroles ad testuser2 If Java or.net applications need to access a web service which requires HTTP Basic Authentication, the application should send a username and password in the HTTP header of the request. Every request, including the first, MUST contain the basic authentication data. The username and password are base-64 encoded in the Authorization HTTP header in this format: Basic <username>:<password>. See [RFC 1945] section 11.1 for more information

Authentication Rules and Tokens For application-based transactions, the following authentication mechanisms is recommended: 1. SSL Client (Mutual) Authentication For user-based transactions in which the Service Consumer is being used by a person, the following additional authentication mechanisms are recommended: 2. HTTP Basic Authentication 3. WS-Security UsernameToken to pass the username and password Or BinarySecurityToken as Kerberos Tickets or X.509 Certifications

Passing Tokens in the WS- Security SOAP Header Examples of the UsernameToken and BinarySecurityToken in the SOAP Headers <wsse:usernametoken> <wsse:username>{username}</wsse:username> <wsse:password Type="wsse:PasswordDigest">{encryptedPassword} </wsse:password> <wsse:nonce>{encryptedsiteid}</wsse:nonce> <wsu:created xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"> 2013-11-20T00:44:02Z</wsu:Created> </wsse:usernametoken> *The Nonce field is used to validate that the contents came from the current site *wsu:created field indicates when a particular element was added to the message <wsse:binarysecuritytoken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" Id= {SecurityTokenID}">{theToken} </wsse:binarysecuritytoken> Reference: WS-Security Specification WS-Security Addendum

<saml:assertion Example> Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid </saml:assertion> Security Assertion Markup Language (SAML) SAML is an XML standard by OASIS to securely exchange user authentication and authorization data between web domains. Example of Using SAML for Google Apps, Where Google plays the role of a Service Provider Allows for web browser single sign-on (SSO) Defines three roles: - The principal (typically a user), - The identity provider (IdP), - The service provider (SP)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information