Prashanth Kumar Muthoju WEB SERVICES SECURITY Prashanth Kumar Muthoju
Agenda Web Services Web Services Security Examples WSE 2.0 DEMO Q & A
Web Service ? 1. A Web Service is a software component that is described via WSDL and is capable of being accessed via standard network protocols such as but not limited to SOAP over HTTP. 2. A Web service is an application that: Runs on a Web server Exposes Web methods to interested callers Listens for HTTP requests representing commands to invoke Web methods Executes Web methods and returns the results -for more info… www.oasis-open.org/committees/wsia/glossary/wsia-draft-glossary-03.htm What web services can do for you (video presentation): http://www.microsoft.com/net/basics/webservicesoverview.asp
Web Services In a Nutshell Transport (TCP/IP, UDP,…) Transfer (HTTP, SMTP, …. ) XML + Namespaces + Information Set SOAP WS Routing Referral Security XML Schema RDF?, DAML?... Subscribe Search Register WSCI BPEL4WS WSDL WS messaging WS descriptions WS discovery Envelope (MIME, DIME, BEEP, …. ) Canonical XML XML Encryption XML Signature WS Coordination WS Transaction UDDI WS-Inspection SAML License
Web Services As usage grows, need for Security increases Interoperability Ease of consumption Use of Standard protocols As usage grows, need for Security increases
Web Services Security Authentication Protocol level Security Message level Security
Authentication – types: Direct Brokered
Message Protection: Data Confidentiality: Encryption Keys Preventing a hacker from manipulating messages in transit Data Origin Authentication: Data Integrity – data tampered? Authenticity – is it from original sender?
XML messages convey security information Credentials Digital signatures Messages can be encrypted Client Transport Service Any Transport XML Security is independent from transport protocol
Protocol Level Security: Security implemented in protocol itself SSL
Web Services Enhancements (WSE 2.0): It is a supported add-on for Microsoft VS.NET and .NET framework Provides advanced Web Service capabillities Download at http://www.microsoft.com/downloads/details.aspx?familyid=1ba1f631-c3e7-420a-bc1e-ef18bab66122&displaylang=en For easy development of secure web services according to specifications by Microsoft http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx
WS-* Specifications:
Security Specification: WS-Security: SOAP Message Security WS-Security: UsernameToken Profile WS-Security: X.509 Certificate Token Profile WS-SecureConversation WS-SecurityPolicy WS-Trust WS-Federation WS-Federation Active Requestor Profile WS-Federation Passive Requestor Profile WS-Security: Kerberos Binding Web Single Sign-On Interoperability Profile Web Single Sign-On Metadata Exchange Protocol More info: http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnglobspec/html/wssecurspecindex.asp
Username Tokens: Simple method of conveying username Password is used to generate a secret key for signing and encrypting Password can be sent as plaintext or digest Digest uses timestamp value valid within a time window WSE provides built-in replay detection mechanism WSE automatically creates Windows Principal for plain-text passwords
DEMO Web Service Security using: 1. Windows Integrated Authentication 2. Windows Basic Authentication 3. SOAP header based authentication Using WSE 2.0: Using Username Tokens Using Kerberos Tokens (only code)
CONCLUSION: With use of Enhanced add-ons like WSE, .NET can provide more secure web services.
REFERENCES: 1. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss 2. Wrox: Beginning ASP.NET 2.0 3. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp 4. http://msdn.microsoft.com/webservices/webservices/building/wse
Q & A
Thank you !