Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

Slides:

Advertisements

Similar presentations

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

Advertisements

WS – Security Policy Prabath Siriwardena Director, Security Architecture.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

WS-Security TC Christopher Kaler Kelvin Lawrence.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Core Web Service Security Patterns

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Web services security I

Prashanth Kumar Muthoju

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Web Service Standards, Security & Management Chris Peiris

Florida Atlantic University Department of Computer and Electrical Engineering &Computer Science ( CEECS ) Secure Systems Research Group Fall 2009 “A Pattern.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Security : Secure Socket Layer Secure Electronic Transaction.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.

Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

CaGrid 2.0 Security Prototype 1. Goals Prototype some proposed security solutions – Ensure interoperability across programming models – Ensure interoperability.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Mr. Abdelkrim Boujraf, Unisys Mr. Andreas Schaad, SAP Research Mr. Mohammad Ashiqur Rahaman, SAP Research funded by EU Integrated Project R4eGov R4eGov.

Gridshell Security Master Project Akylbek Zhumabayev Rochester Institute of Technology.

Web Services Security Patterns Alex Mackman CM Group Ltd

Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

CIA AAA. C I A Confidentiality I A Confidentiality Integrity A.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Web Services Security Mike Shaw Architectural Engineer.

Web Services Security with WSE 2.0 Muhammad Saqib Ilyas

Prabath Siriwardena, Director of Security, WSO2 Twitter

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Applied WSE 2.0 Security Mike Shaw.NET Security Dude

© ETNIC l l Anne Noseda l WSGenCon 2.0 Presentation 1 WSGenCon /02/2010 E2SA – Equipe Support Standard Architecture.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Security Problems (and Solutions) for Service Oriented Applications

Presentation transcript:

Prabath Siriwardena – Software Architect, WSO2

Patterns Standards Implementations Plan for the session

Recurring Problems

Patterns Authentication Patterns Confidentiality Patterns Authorization Patterns

1999

2004

2005 SAML2 Web SSO

2008/May

Authentication Patterns Direct Authentication Brokered Authentication

Basic Authentication Mutual Authentication 2-legged OAuth Direct Authentication for Web Services Transport Level

UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS- Security Direct Authentication for Web Services Message Level

Mutual Authentication 2-legged OAuth Brokered Authentication for Web Services Transport Level

WS-Trust / STS WS-Federation Brokered Authentication for Web Services Message Level Signing – X.509 Token Profile with WS- Security Kerberos Token Profile for WS-Security Resource STS

2006/April

2006/June

2008/2009

2007/Dec

Authorization Patterns Direct Authorization Delegated Authorization

Authorization Patterns Direct Authorization Delegated Authorization ActAs in WS-Trust 1.4

2005/Feb

Message Interceptor Gateway Pattern Trusted Sub System Pattern Security Solution Patterns Message Level

UsernameToken Profile SOAP Security Message Level

X.509 Token Profile & Key Referencing Message Level SOAP Security Key Identifiers Direct References

Symmetric Binding Vs Asymmetric Binding Message Level SOAP Security

Message Level SOAP Security WS-Security secures SOAP – focuses on message level security Focuses on a single message authentication model Each message contains everything necessary to authenticate it self Suitable for a coarse grained messaging in which a single message at a time from the same requestor is received WS – Secure Conversation

Message Level SOAP Security WS – Secure Conversation What SSL does at the transport level in point-to-point communication, WS-SecureConversation does at the SOAP layer Removes the need of individual SOAP message carrying authentication information. Establishes a mutually authenticated security context in which a series of messages are exchanged. Uses public key encryption to exchange a shared secret and then onwards uses the shared key

WS-Trust Message Level SOAP Security

Sender Vouches – Subject Confirmation Message Level SOAP Security

Message Level SOAP Security Holder-of-Key – Subject Confirmation

WS-Security Policy Message Level SOAP Security