Java Technology and Web Services Security in Action

Similar documents
Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Presented By: Muhammad Afzal 08May, 2009

An Oracle White Paper Dec Oracle Access Management Security Token Service

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

Web Services Security with SOAP Security Proxies

NIST s Guide to Secure Web Services

Securing Web Services From Encryption to a Web Service Security Infrastructure

Biometric Single Sign-on using SAML Architecture & Design Strategies

Software Requirement Specification Web Services Security

This Working Paper provides an introduction to the web services security standards.

Java Security Web Services Security (Overview) Lecture 9

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Szolgáltatásorientált rendszerintegráció. WS-* standards

Web Services Development for IBM WebSphere Application Server V7.0. Version: Demo. Page <<1/10>>

Biometric Single Sign-on using SAML

1 What Are Web Services?

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Developing Java Web Services

1 What Are Web Services?

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Service Virtualization: Managing Change in a Service-Oriented Architecture

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

<Insert Picture Here> Oracle Web Services Manager (WSM)

AquaLogic Service Bus

Federated Identity and Trust Management

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

ITS. Java WebService. ITS Data-Solutions Pvt Ltd BENEFITS OF ATTENDANCE:

JAVA API FOR XML WEB SERVICES INTRODUCTION TO JAX-WS, THE JAVA API FOR XML BASED WEB SERVICES (SOAP, WSDL)

Java Web Services Training

JVA-561. Developing SOAP Web Services in Java

REST and SOAP Services with Apache CXF

A pattern for the WS-Trust standard for web services

Chapter 1: Web Services Testing and soapui

02267: Software Development of Web Services

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

The Role of Identity Enabled Web Services in Cloud Computing

Network Security Protocols

Federated Identity Management Solutions

Securely Managing and Exposing Web Services & Applications

Securing SOA and Web Services with Oracle Enterprise Gateway

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

CA SOA Security Manager

UDDI v3: The Registry Standard for SOA

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

JVA-122. Secure Java Web Development

SOA Best Practices (from monolithic to service-oriented)

CICS Identity and Security

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

WEB SERVICES. Revised 9/29/2015

Digital Signature Web Service Interface

WEB SERVICES SECURITY

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Security Assertion Markup Language (SAML)

Assessing the usefulness of the WS-I tools for interoperability testing

Oracle SOA Suite Then and Now:

igovt logon service Context Mapping Service (icms) Messaging Specification Release 9.6

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Introduction to Oracle WebLogic. Presented by: Fatna Belqasmi, PhD, Researcher at Ericsson

Enterprise Applikation Integration und Service-orientierte Architekturen. 10 Webservices Addons

Introduction to WS-Policy

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec

JAVA API FOR XML WEB SERVICES (JAX-WS)

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Securing Java Web Services

MODELING AND ANALYSIS OF SECURITY STANDARDS FOR WEB SERVICES AND CLOUD COMPUTING. Ola Ajaj. A Dissertation Submitted to the Faculty of

The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile

Managing SOA Security and Operations with SecureSpan

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Secure Services withapache CXF

CS 356 Lecture 28 Internet Authentication. Spring 2013

Introduction to CASA: An Open Source Composite Application Editor

XML Signatures in an Enterprise Service Bus Environment

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Securing Web Services with WS-Security

Reducing SOA Identity Fatigue through Automated Identity Testing

Using mobile phones to access Web Services in a secure way. Dan Marinescu

GRA Reliable Secure Web Services Service Interaction Profile Version 1.2 Table of Contents

Server based signature service. Overview

Authentication and Single Sign On

Web services payment systems. Master Thesis Technical University of Denmark

Oracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006

Leveraging Service Oriented Architecture (SOA) to integrate Oracle Applications with SalesForce.com

Chapter 10. Cloud Security Mechanisms

JOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Oracle SOA Suite: The Evaluation from 10g to 11g

Single Sign-On Implementation Guide

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

CHAPTER - 3 WEB APPLICATION AND SECURITY

XIII. Service Oriented Computing. Laurea Triennale in Informatica Corso di Ingegneria del Software I A.A. 2006/2007 Andrea Polini

e-gov Architecture Service Interface Guidelines

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Introduction to Service-Oriented Architecture for Business Analysts

Federated Service Oriented Architecture for Effects-Based Operations

Table of Contents. iii

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Sometimes it's better to be STUCK! SAML Transportation Unit for Cryptographic Keys

Realtests.C questions

Transcription:

Java Technology and Web Services Security in Action Marc Chanliau and Vikas Jain Security Product Management Oracle Corporation www.oracle.com TS-8131 2007 JavaOne SM Conference Session TS-8131

Goal Learn about key industry and Java technology security standards and how they are implemented in protected serviceoriented architecture (SOA) deployments 2007 JavaOne SM Conference Session TS-8131 2

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 3

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 4

The Need for Security in SOA Environments Access to resources and services over HTTP (mainly) Insecure port 80 Readable messages (XML) Message-level security required Declarative security No hard-coded security Define security centrally Policies are in a single point of control and administration Enforce security locally Policy enforcement points are distributed across the environment Heterogeneous environments Industry standards for integration and interoperability Flexible deployment (multiple-platform support) 2007 JavaOne SM Conference Session TS-8131 5

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 6

Use Case #1: SOA Application Web Client ESB BPEL Process Receive Order Get Customer Info Customer service Verify Credit Credit Service Delivery Service ESB Fulfill Order Notify Customer Notification Service 2007 JavaOne SM Conference Session TS-8131 7

Use Case #1 Security Vulnerabilities Web Client ESB BPEL Process Receive Order Get Customer Info Customer service Verify Credit Credit Service Delivery Service ESB Fulfill Order Notify Customer Notification Service : Security vulnerabilities 2007 JavaOne SM Conference Session TS-8131 8

Use Case #2: Web Application Invoking Web Services Web Browser SSO Token Corporate Portal Procurement Application JAAS SAML Token Purchasing Service JAAS Kerberos Token Security Token Service Identity Propagation End-to-End Security Shipping Service JAAS = Java Authentication and Authorization Service 2007 JavaOne SM Conference Session TS-8131 9

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 10

Requirements Authentication Verify that the user is who she claims to be Authorization Access Control Verify that the authenticated user has access rights to the service invoked Confidentiality Hide whole or part of a document using encryption Integrity, non-repudiation Have an authority digitally sign a document Credential mediation Exchange security tokens in a trusted environment Service capabilities and constraints Define what a service can do, under what circumstances 2007 JavaOne SM Conference Session TS-8131 11

Key Industry-Standard Security Frameworks Trust Management, Federation XML Frameworks Metadata Message Structure Confidentiality, Integrity, Authenticity Non-XML Frameworks Transport Layer (HTTP, FTP, JMS, etc.) Transport-Level Security: Secure Socket Layer (SSL) Transmission Control Protocol and Internet Protocol (TCP/IP) JMS = Java Message Service 2007 JavaOne SM Conference Session TS-8131 12

Application-Level Security Complements transport-level security (SSL) Based on XML frameworks Confidentiality, Integrity, Authenticity XML Encryption, XML Signature Message Structure, Message Security SOAP, WS-Security Trust Management/Federation WS-Trust WS-SecureConversation Metadata WS-Policy, WS-PolicyAttachment WS-MetadataExchange 2007 JavaOne SM Conference Session TS-8131 13

Confidentiality, Integrity, Authenticity: XML Encryption, XML Signature XML Encryption (data confidentiality) How digital content is encrypted and decrypted How the encryption key information is passed to a recipient How encrypted data is identified to facilitate decryption XML Signature (data integrity, authenticity) Bind the sender s identity (or signing entity ) to an XML document Signing/signature verification can be done using asymmetric or symmetric keys Ensure non-repudiation of the signing entity Proves that messages have not been altered since they were signed 2007 JavaOne SM Conference Session TS-8131 14

Message Structure, Message Security: SOAP, WS-Security WS-Security defines how to attach XML Signature and XML Encryption headers to SOAP messages WS-Security provides profiles for 5 security tokens Username (with opt. pwd digest) X.509 cert Kerberos ticket SAML assertion REL (rights markup) document SOAP Envelope SOAP Envelope Header WS-Security Header Security Token SOAP Envelope Body Business Payload 2007 JavaOne SM Conference Session TS-8131 15

WS-Security With SAML Security Token SAML assertions and references to assertion identifiers are contained in the <wsse:security> element, which in turn is included in the <SOAP-ENV:Header> element (described in the WS-Security SAML Token Profile) <SOAP-ENV:Envelope> <SOAP-ENV:Header> <wsse:security> <saml:assertion> - - - </saml:assertion> </wsse:security> </SOAP-ENV:Header> <SOAP-ENV:Body> - - - </SOAP-ENV:Body> </SOAP-ENV:Envelope> 2007 JavaOne SM Conference Session TS-8131 16

WS-Trust WS-Security assumes parties already know each other and agree on the security token used WS-Trust addresses situations where trust must be brokered between parties that don t use the same security tokens A Security Token Service (STS) enables security token exchange, token issuance, and token validation WS-Trust defines a request/response protocol A client sends a RequestSecurityToken (RST) to the STS The STS replies with a RequestSecurityTokenResponse (RSTR) 2007 JavaOne SM Conference Session TS-8131 17

WS-SecureConversation WS-SecureConversation plays the same role in messagelevel security that SSL plays at the transport level WS-SecureConversation defines the creation and sharing of security contexts between communicating parties The <SecurityContextToken> (SCT) element supports the requirements of security contexts An SCT involves a shared secret used to sign and/or encrypt messages Derived keys are used for signing and encrypting messages associated with the security context WS-SecureConversation defines how derived keys are computed and passed 2007 JavaOne SM Conference Session TS-8131 18

WS-Policy WS-Policy enables one to specify policy information that can be used to access web services applications A policy is expressed as one or more policy assertions A policy assertion represents a capability or a requirement For example, a policy assertion may stipulate that a request to a web service be encrypted, or a policy assertion can define the maximum message size that a web service can accept The meaning of each assertion is specific to a particular domain, for example, security, reliability, or privacy 2007 JavaOne SM Conference Session TS-8131 19

WS-PolicyAttachment WS-PolicyAttachment defines how (WS-Policy) policies are attached to web services Policies can be bound to WSDL or UDDI <definitions>... <binding name="stockquotewebservicesoapbinding"...> <wsp:policyreference xmlns: URI="#SecureMessagePolicy"/> </binding> <wsp:policy wsu:id="securemessagepolicy"... > <sp:signedparts> <sp:body/> </sp:signedparts> <sp:encryptedparts> <sp:body/> </sp:encryptedparts> </wsp:policy>... </definitions> 2007 JavaOne SM Conference Session TS-8131 20

WS-MetadataExchange Defines how a client can request the metadata it needs to access and communicate with a web service endpoint Metadata can be WSDL, WS-Policy, schema Uses WS-Addressing to identify endpoints WS-MetadaExchange works as follows: A requester sends a GetMetadata request message to an endpoint The endpoint replies with a GetMetadata response message including a reference to the metadata section requested 2007 JavaOne SM Conference Session TS-8131 21

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 22

Java Technology Frameworks Java Platform, Enterprise Edition (Java EE platform) 5 Apache/WSO2 Vendor specific (Oracle, Sun, BEA, etc.) 2007 JavaOne SM Conference Session TS-8131 23

Java EE Platform 5 Application (Web Service) JAX-RPC, JAX-WS SAAJ JAAS Authentication WSIT WS-SecurityPolicy, WS-Trust, WS-I-BSP XWS-Security WS-Security and tokens Signature JSR 105 (RI) JCE/JCA Apache XML-Security Encryption Key store, crypto operations JAX-RPC = Java API for XML-based RPC JAX-WS = Java APIs for XML Web Services JSR = Java Specification Request SAAJ = The SOAP with Attachments API for Java JCE = Java Cryptography Extension JCA = Java Cryptography Architecture 2007 JavaOne SM Conference Session TS-8131 24

Apache/WSO2 Application Attachments Axis 1.x Axis 2 MTOM / XOP JAAS Authentication Apache Rampart WS-SecurityPolicy, WS-Trust, etc. Apache WSS4J Apache XML-Security JCE/JCA WS-Security and tokens Signature (JSR 105), Encryption Key store, crypto operations 2007 JavaOne SM Conference Session TS-8131 25

Vendor Specific (Oracle 11g) Application JAX-RPC, JAX-WS, Axis 1.x, Axis 2 OPS4J JAAS Authentication Oracle Web Services Manager (OWSM) Oracle Security Developer Tools (OSDT) JCE/JCA WS-Security and tokens, WS-I-BSP XML Signature and Encryption Key store, crypto operations 2007 JavaOne SM Conference Session TS-8131 26

Agenda The Need for Security in SOA Environments Define Once, Enforce Anywhere Paradigmatic Use Cases SOA Environments Web Applications Key Industry Standards XML Frameworks Java Technology Frameworks Implementation Choices Product Demo 2007 JavaOne SM Conference Session TS-8131 27

Application Server vs. External Security can be implemented in the application server or external to the application server Application Server security Focused on a specific platform (Oracle, BEA, Sun, etc.) External security (Oracle WSM, XML Appliances, etc.) Defined in a single policy manager Enforced across heterogeneous platforms Deployment flexibility Monitoring capabilities 2007 JavaOne SM Conference Session TS-8131 28

DEMO Web Services Security 2007 JavaOne SM Conference Session TS-8131 29

Demo Scenario Username token Oracle SOA Process Web Client Verify security Authenticate Set Subject Receive Order Get Customer Info Verify security Authenticate Set Subject SAML Verify Credit Credit Service Fulfill Order Notify Customer Read Subject Insert SAML token Secure message 2007 JavaOne SM Conference Session TS-8131 30

Summary SOA security is based on XML frameworks and Java technology standards Security includes authentication, authorization, integrity, confidentiality, trust SOA security should be externalized for flexible deployment and easier administration 2007 JavaOne SM Conference Session TS-8131 31

For More Information OASIS Web Services Security (WSS) TC http://www.oasis-open.org GlassFish XWSS http://xwss.dev.java.net Oracle Technology Network http://www.oracle.com/technology/products/middleware Blog http://ws-security.blogspot.com 2007 JavaOne SM Conference Session TS-8131 32

Q&A Marc Chanliau and Vikas Jain 2007 JavaOne SM Conference Session TS-8131 33

Java Technology and Web Services Security in Action Marc Chanliau and Vikas Jain Security Product Management Oracle Corporation www.oracle.com TS-8131 2007 JavaOne SM Conference Session TS-8131

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information