Using WSS4J and Axis to Secure Web Services in the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc.

Agenda Introduction Part 1 – Web Services Security Implementation for the Government’s Horizontal Fusion Program Part 2 – Web Services Security for a Not-To- Be-Named Current Government Program Part 3 – Resources, code, etc.

Introduction Kevin T. Smith –Director of SOA & Semantics Security Team (S3T) at McDonald Bradley –Focused on Information Assurance & SOA Author/Co-Author of Several Technology Books and Articles Contact Info:

Part 1: Horizontal Fusion

What is Horizontal Fusion (HF)? From Web Site ( : –“As an award-winning effort consistent with the goals and guidance for military transformation, Horizontal Fusion has been organized to focus technology on the information-sharing challenges of net-centric warfare and to demonstrate innovation and benefit quickly…” military transformationnet-centric –“Horizontal Fusion deploys web-services to leverage existing and emerging technologies in a secure environment.” From A Technology Perspective: –Lots of Data, Everything exposed as web services –Large amount of data, many participants, large amount of services –Much web service chaining, federated search capabilities –Government requirements mandated very strong security

HF Technology History 2003 – Initial Phase, Deployment of Many Web Services Developed Security Toolkit using Apache WSS4J & Apache Axis handlers –Done for Axis 1.1 and 1.2 –Used WSS4J “snapshot” at that point + OpenSAML (updated WSS4J in early ’05) 2004-Present : In Production

HF Message Format: NCES Security SOAP Messaging Net-Centric Enterprise Services

Use of SAML for Access Control For Message Requests: –Security Roles of the User is sent in SAML in the SOAP Header –The Clearance of the Subject is sent in SAML –The Security Label of the Subject’s Request is also in SAML For Message Responses: –The Security Label of the Response is set by the Web Service –The Server Handler Response Controls Access Based On The Label That Was Returned By the Web Service –If Label is Authorized for User, Server Handler Creates The Return Message, entering Security Label of the Message, and Digitally Signing The Message Before It is returned to the Requester Authentication Statement Subject Clearance Attribute Statement Subject Message Label Attribute Statement Subject Security Roles Attribute Statement SAMLAssertion Subject Message Label Attribute Statement SAMLAssertion In Request: In Response:

Back to Message Format: Use of SAML for Access Control -If SAML contains attributes And local policy is expressed, “local” PDP was used -If SAML contains only identity, “central” PDP was used

About Our Use of Axis Handlers Security Handlers create secure messages –A Client Handler (on request) adds a WS-Security Header with a SAML Assertion on behalf of a subject (the user) (Client RequestFlow) –A Server Handler (on response) creates a WS-Security Header on behalf of the Web Service (Server Response Flow) Security Handlers validate messages –A Server Handler (on request) validates a web service message, can control access by role – before the web service is called (Server RequestFlow) –A Client Handler (on response) validates the message created by the web service (Client Response Flow) Web Service Client Handler Server Handler Web Service

Web Service Client Requests WS Client creates a “SecurityInfo” object and places it in the MessageContext for Apache Axis to use –SecurityInfo object contains information about the Message being sent and the Subject for which the message is being sent –Simple Example of Instantiating SecurityInfo: –Examples of Passing the information to Axis: javax.xml.rpc.Call call = vs.createCall(new QName(NS,port), "getVersion"); call.setProperty("SECURITY_INFO", sinfo) System.out.println(call.invoke(null)); VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("SECURITY_INFO", sinfo); Version v = (Version)stubby; System.out.println(v.getVersion()); SecurityInfo sinfo = new SecurityInfo("cn=Kevin T. Smith, o=McDonald Bradley, c=US"); sinfo.addRole("user.operator"); sinfo.addRole("user.analyst"); sinfo.addSubjectClearanceDataItem("S"); sinfo.addSubjectCitizenshipDataItem("USA"); sinfo.addMessageClassificationDataItem("S"); WS Client

Axis Client Request Flow Client Handler intercepts the message as part of the Axis Handler Chain Client Handler pulls the SecurityInfo object from the MessageContext –SecurityInfo = (SecurityInfo)messageContext.getProperty(“SECURITY_INFO”); Client Handler builds the WS-Security Header with WSS4J –Adds unique MessageId –Adds Timestamp –Adds SAML Assertion with data from SecurityInfo object. –Signs MessageId, Timestamp, SAML Assertion, and Message Body with certificate to create NCES Security-Compliant Message WS Client Handler

Axis Server Request Flow Server Handler intercepts the request message as part of the Axis Handler chain Access Control: –Calls a service to check revocation status of certificate –Validates the signatures on the message –Verifies the Timestamp is within a configurable window & verifies that messageID has not been previously used to prevent replay attack –Determines if Subject can access this Service, based on attributes in SAML assertion & locally expressed policy, or via a call to Policy Service –If any of these fail, throws a SOAP fault Creates a SecurityInfo object from the SAML assertion passed in Web Service gets the message WS Client Handler Server Handler WS

Axis Server Response Flow After processing the request, Web Service creates a SecurityInfo object for the label of the data and places it in the MessageContext before sending the response message. Axis Server Handler intercepts the message as part of the Axis Handler chain. –Determines if the message contains a SOAP Fault. If so, it stops processing –It creates a NCES Secure message, but the SAML assertion now has the label of the data (no user information) Server Handler WS Client Handler

Client Response Flow Response from server is intercepted by the Client Handler as part of the Axis Handler chain If SOAP Fault is found in the message no authentication of message is done Calls a service to check revocation status of certificate Signature on MessageId, Timestamp, SAML Assertion, and Message body is verified. MessageId uniqueness is verified. Timestamp is validated against allowed window. Message is returned to client for processing. Server Handler WS Client Handler

Common Usage Example Server Handler Portal 1. Client Handler CVS 4. IFIS Client Handler 8. Server Handler 11. PDS SWS Provider CVS

Use of WSS4J in Axis Handlers Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: /* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); /* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ /* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP); WSSignEnvelope signer = new WSSignEnvelope(); signer.setKeyIdentifierType(m_keyid); signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); /* On validate.. */ WSSecurityEngine engine = new WSSecurityEngine(); engine.processSecurityHeader(doc, null, null, crypto);

Web Service Approach to Labels and Mandatory Access Control MAC enforcement functionality at the Handler Level On Request: –Authenticating Web Service Client sets clearance and citizenship of user and security label of message –Client Handler adds this to the message before signing It –Web Service Server Handler controls access based on message label, security label – based on “high water mark” of intended web service –Web Service, before it responds, can set a security label on response message On Response: –Server Handler gets security label of message from WS returning data –Server Handler controls label access based on user’s clearance, and the security label of message –Server Handler creates message with label –Client Handler validates message –Web Service Client Gets Response

Use of WSS4J in Axis Handlers Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: /* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); /* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ /* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP); WSSignEnvelope signer = new WSSignEnvelope(); signer.setKeyIdentifierType(m_keyid); signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); /* On validate.. */ WSSecurityEngine engine = new WSSecurityEngine(); engine.processSecurityHeader(doc, null, null, crypto);

Original Code on HF Web Site Code with ANT build, examples, sample keystores was put on government site in

Part 2: Use of WSS4J & Axis In Current Gov’t Program

Security Architecture Mutual SSL authentication between browser and web application to authenticate user identity 2-way SSL between web application and web services to assert message sender identity X.509 Certificate in WS- Security header used to assert user identity WS using another security framework on back-end, but needed something on client side: Tomcat & Axis & WSS4J

A Glance at Axis/WSS4J Code //In Servlet/JSP code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); //.. //Put that in the property Axis uses VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("CLIENT_CERT", certs[0]); //passes in the X509Certificate object Version v = (Version)stubby; System.out.println(v.getVersion()); //In client request handler: X509Certificate cert = (X509Certificate)inoutContext.getProperty("CLIENT_CERT"); /* Make a binarySecurityToken element */ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document doc = builder.newDocument(); org.apache.xml.security.Init.init(); X509Security binaryToken = new X509Security(doc); binaryToken.setX509Certificate(cert); /* Now create a WS-Security Header, and put the Binary Token Under It */ WSSecHeader wsh = new WSSecHeader(); wsh.setMustUnderstand(false); Element e = wsh.insertSecurityHeader(origDoc); Node dup = origDoc.importNode(binaryToken.getElement(), true); e.appendChild(dup); Message newMsg = (Message)toSOAPMessage(origDoc); inoutContext.setRequestMessage(newMsg);

Conclusion We found that WSS4J and Apache Axis were easy to use to build a complex Web Services Security Solution Interoperability issues – –Originally (in early 2004) WS-Security namespace changes made interoperability difficult –Now, no such problems – interoperates with.NET solutions, and Axis client handler with WSS4J in current project interoperates well with BEA weblogic ALSB security subsystem.

Questions?