Security Problems (and Solutions) for Service Oriented Applications

Slides:



Advertisements
Similar presentations
cetis Really Complex Web Service Specifications Scott Wilson.
Advertisements

CS651/551 Federated Trust Systems Alfred C. Weaver
Francisco Gonzalez Mario Rincon.  Apache CXF is an open source services framework.  CXF helps you build and develop services using frontend programming.
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Web Service Security CS409 Application Services Even Semester 2007.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
ServiceMix future Jean-Baptiste Onofré, Talend
Enterprise SOA, Apache Style Hadrian Zbarcea (Talend) - Daniel Kulp (Talend) –
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web services security I
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Mr. Abdelkrim Boujraf, Unisys Mr. Andreas Schaad, SAP Research Mr. Mohammad Ashiqur Rahaman, SAP Research funded by EU Integrated Project R4eGov R4eGov.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Web Services Security Patterns Alex Mackman CM Group Ltd
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Prabath Siriwardena, Director of Security, WSO2 Twitter
Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
 SOPERA GmbH Apache CXF What's new? J. Daniel Kulp PMC Chair – Apache CXF ApacheCon US 2010.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
Access Policy - Federation March 23, 2016
Open standard based Identity Provisioning for Cloud
Symmetric and Asymmetric Encryption
Federation made simple
OGSA-WG Basic Profile Session #1 Security
Computer Communication & Networks
HMA Identity Management Status
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Web Services UNIT 5.
Grid & Web Service Security: Issues from the Private Sector
VistA Service Backplane Demo
NAAS 2.0 Features and Enhancements
Andrew Nash Chief Technology Officer, Reactivity
Multi-party Authentication in Web Services
Tim Bornholtz Director of Technology Services
WS-SecureConversation
The SOAP Story Martin Parry Developer & Platform Group Microsoft Ltd
THE WEB AND WEB SERVICES
Presentation transcript:

Security Problems (and Solutions) for Service Oriented Applications Daniel Kulp, Talend dkulp@apache.org, November 10, 2011

What I Will Cover SOA Security Concerns Types of Security Problems WS-* Solutions REST Solutions Apache CXF extensions Thoughts for the future

My Background J. Daniel Kulp Talend VP - OpenSource Development ASF Member PMC for CXF, Camel, WebService, Maven, Aries. Committer for ServiceMix

SOA Security Concerns Collection of Services that make up a complex application that solves complex problems. Primarily Web Services NOT just SOAP Includes REST Can include other technologies like CORBA, JMS, etc...

Security Problems Authentication Authorization Message Protection Data encryption Signatures Intermediaries Security Tokens Performance

WS-* Solutions “Well Defined” (OK: overly complex) specifications WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust Etc....

WS-Security How to sign SOAP messages to assure integrity.(based on XMLDsig) How to encrypt SOAP messages to assure confidentiality. (based on XML-Enc) How to attach security tokens to ascertain the sender's identity. X.509, Kerberos, UserNameToken, SAML

WS-SecurityPolicy Tries to address the “contract” of the Security requirements XML based WS-Policy fragments that describe the Security requirements of the service Contains the information about what needs to be includes, what needs to be signed, what needs to be encrypted, algorithms, etc...

WS-Trust Managing Security Tokens Issue, Renew, Cancel, Validate Support brokering trust relationships STS Consumer Provider Intermediary

WS-SecureConversation Attempt to address the “performance problem” of the WS-Security specifications. XML Signatures and Encryption using strong asymmetric keys is very expensive. WS-SecConv allows for a simpler symmetric key to be used after establishing a “session”. Extends WS-Trust

WS-* Addresses most of the security problems (performance may be the exception) Very complex Several “Profiles” defined to attempt to clarify and simplify things

REST HTTPS Basic Authentication NTLM/Digest Authentication OAuth Really, very few “standards”

Apache CXF – WS-* Covers the WS-* stuff very well Very well tested Very actively developed Highly interopable High performance (relative) New in 2.5.0 is an Enterprise Ready Security Token Service

Apache CXF - REST JAX-RS OAuth 1.0 Flows XML Message Protection Enveloped Enveloping Detached SAML Auth Header Token in Message Form value

Future Work OAuth 2.0 Single Sign-On / SAML SAML for Bearer token in OAuth 2.0 flows Performance (Streaming) WS-Federation for SSO Apache Fediz proposal to the Incubator

More Information CXF - http://cxf.apache.org Distribution contains several security samples Talend – http://talend.com Talend ESB has several examples and webinars covering security topics Blogs Colm - http://coheigea.blogspot.com/ Glen - http://www.jroller.com/gmazza/ Sergey - http://sberyozkin.blogspot.com/

Contact Daniel Kulp dkulp@apache.org http://dankulp.com/blog @DanKulp on Twitter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.