Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Problems (and Solutions) for Service Oriented Applications

Published byChastity Ray Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Problems (and Solutions) for Service Oriented Applications"— Presentation transcript:

1 Security Problems (and Solutions) for Service Oriented Applications
Daniel Kulp, Talend November 10, 2011

2 What I Will Cover SOA Security Concerns Types of Security Problems
WS-* Solutions REST Solutions Apache CXF extensions Thoughts for the future

3 My Background J. Daniel Kulp Talend VP - OpenSource Development
ASF Member PMC for CXF, Camel, WebService, Maven, Aries. Committer for ServiceMix

4 SOA Security Concerns Collection of Services that make up a complex application that solves complex problems. Primarily Web Services NOT just SOAP Includes REST Can include other technologies like CORBA, JMS, etc...

5 Security Problems Authentication Authorization Message Protection
Data encryption Signatures Intermediaries Security Tokens Performance

6 WS-* Solutions “Well Defined” (OK: overly complex) specifications
WS-Security WS-SecureConversation WS-SecurityPolicy WS-Trust Etc....

7 WS-Security How to sign SOAP messages to assure integrity.(based on XMLDsig) How to encrypt SOAP messages to assure confidentiality. (based on XML-Enc) How to attach security tokens to ascertain the sender's identity. X.509, Kerberos, UserNameToken, SAML

8 WS-SecurityPolicy Tries to address the “contract” of the Security requirements XML based WS-Policy fragments that describe the Security requirements of the service Contains the information about what needs to be includes, what needs to be signed, what needs to be encrypted, algorithms, etc...

9 WS-Trust Managing Security Tokens Issue, Renew, Cancel, Validate
Support brokering trust relationships STS Consumer Provider Intermediary

10 WS-SecureConversation
Attempt to address the “performance problem” of the WS-Security specifications. XML Signatures and Encryption using strong asymmetric keys is very expensive. WS-SecConv allows for a simpler symmetric key to be used after establishing a “session”. Extends WS-Trust

11 WS-* Addresses most of the security problems (performance may be the exception) Very complex Several “Profiles” defined to attempt to clarify and simplify things

12 REST HTTPS Basic Authentication NTLM/Digest Authentication OAuth
Really, very few “standards”

13 Apache CXF – WS-* Covers the WS-* stuff very well Very well tested
Very actively developed Highly interopable High performance (relative) New in is an Enterprise Ready Security Token Service

14 Apache CXF - REST JAX-RS OAuth 1.0 Flows XML Message Protection
Enveloped Enveloping Detached SAML Auth Header Token in Message Form value

15 Future Work OAuth 2.0 Single Sign-On / SAML
SAML for Bearer token in OAuth 2.0 flows Performance (Streaming) WS-Federation for SSO Apache Fediz proposal to the Incubator

16 More Information CXF - http://cxf.apache.org
Distribution contains several security samples Talend – Talend ESB has several examples and webinars covering security topics Blogs Colm - Glen - Sergey -

17 Contact Daniel Kulp dkulp@apache.org http://dankulp.com/blog
@DanKulp on Twitter

Download ppt "Security Problems (and Solutions) for Service Oriented Applications"

Similar presentations

cetis Really Complex Web Service Specifications Scott Wilson.

cetis Really Complex Web Service Specifications Scott Wilson.
CS651/551 Federated Trust Systems Alfred C. Weaver

CS651/551 Federated Trust Systems Alfred C. Weaver
Francisco Gonzalez Mario Rincon.  Apache CXF is an open source services framework.  CXF helps you build and develop services using frontend programming.

Francisco Gonzalez Mario Rincon.  Apache CXF is an open source services framework.  CXF helps you build and develop services using frontend programming.
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
ServiceMix future Jean-Baptiste Onofré, Talend 2011-11-10.

ServiceMix future Jean-Baptiste Onofré, Talend
Enterprise SOA, Apache Style Hadrian Zbarcea (Talend) - Daniel Kulp (Talend) – 2011-11-10.

Enterprise SOA, Apache Style Hadrian Zbarcea (Talend) - Daniel Kulp (Talend) –
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web services security I

Web services security I
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2012-2013.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Similar presentations

Ads by Google