Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak.

Published byMaryam Sias Modified over 9 years ago

Similar presentations

Presentation on theme: "An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak."— Presentation transcript:

1 An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak

2 Agenda Introduction Skeleton SOAP Message SOAP Message Format and Transmission Why Message Layer Security? CIA in MLS Current Problems and Trends Conclusion ???

3 Introduction SOAP 1.1 Simple Object Access Protocol SOAP 1.2 A “wrapper” protocol Written in XML Independent of Platform, OS, Programming Language Independent of the wrapped data Independent of the transport protocol A uni-directional message exchange paradigm Simple and Extensible N4S - http://www.w3schools.com/SOAP/soap_intro.asp http://www.w3schools.com/SOAP/soap_intro.asp

4 Skeleton SOAP Message <soap:Envelope xmlns:soap=http://www.w3.org/2001/12/soap-envelope soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">......... - http://www.w3schools.com/SOAP/soap_intro.asphttp://www.w3schools.com/SOAP/soap_intro.asp SOAP Envelope SOAP Header SOAP Body Header Block... Body Block...

5 Message Transmission Typical Binding - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt Sender Receiver HTTP Request HTTP Body XML Syntax SOAP Envelope SOAP Body SOAP Body Block Textual Integer 0x0b66

6 Uni-directional Exchange Initial Sender Ultimate Receiver Intermediary - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt Intermediary

7 Bi-directional Exchange Series Initial Sender Ultimate Receiver Intermediary - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt

8 Remote Procedure Call To invoke a SOAP RPC, the following information is needed: The address of the target SOAP node. The procedure or method name. The identities and values of any arguments to be passed to the procedure or method together with any output parameters and return value. A clear separation of the arguments used to identify the Web resource which is the actual target for the RPC, as contrasted with those that convey data or control information used for processing the call by the target resource. The message exchange pattern which will be employed to convey the RPC, together with an identification of the so-called "Web Method" (on which more later) to be used. Optionally, data which may be carried as a part of SOAP header blocks. - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt

9 Example Request Code 5 AB123CD Parthiv Nayak 1234567890123456 123 12/12 - http://www.w3.org/TR/soap12-part0/#L1185http://www.w3.org/TR/soap12-part0/#L1185

10 Example Response Code 5 AB123CD http://www.southwest.com/reservations?code=AB123CD - http://www.w3.org/TR/soap12-part0/#L1185http://www.w3.org/TR/soap12-part0/#L1185

11 Message Layer Security Why do we need another layer of security ? End to end security Transport layer independence Common Infrastructure Security for stored messages

12 Confidentiality with MLS 0rqGM/nMhGNHY0U6ZhbkuPDEpYaqD/nwqtt0iw361RLeVGvJgn37GeNkd aVY+JizNWsqR//TDeOG=

13 Authentication - Digitally signed messages <SOAP-SEC:Signature xmlns:SOAP- SEC=http://schemas.xmlsoap.org/soap/security/ http://schemas.xmlsoap.org/soap/security/ SOAP-ENV:actor="urn:validator" SOAP-ENV:mustUnderstand="1"> MC0CFFrVLtRlk=...

14 Authorization - MLS <SOAP-SEC:Authorization xmlns:SOAP- SEC=http://schemas.xmlsoap.org/soap/security/http://schemas.xmlsoap.org/soap/security/ SOAP-ENV:actor="a URI of an actor“ SOAP-ENV:mustUnderstand="1"> ……

15 Current Problem SOAP uses HTTP,and can transfer binart files HTTP traffic is not blocked by Firewalls Network Security is breached. "SOAP goes through firewalls like a knife through butter." -http://www.prescod.net/rest/security.htmlhttp://www.prescod.net/rest/security.html Possible Solution: Parsing XML data. CPU intensive, and lower performance. Also hard to find patterns because of XML’s dynamic nature.

16 Current Trend Axis 2 – Apache Software Foundation Provides web service engines designed for SOAP and XML with emphasis on security, and modularization. http://ws.apache.org/axis2/1_2/userguide.html#handlessoap

17 Cont… SOAP Security Extensions - W3C Provides SOAP Security Extensions. Currently we have the “SOAP Security Extensions: Digital Signatures” WS-Security (Web Service Security) - OASIS Provides the mechanism for Security tokens within SOAP messages, and also detail the use of Kerberos, X.509 certificate with SOAP.

18 Cont… Current Goal of OASIS ( http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf ): http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf Multiple security token formats Multiple trust domains Multiple signature formats Multiple encryption technologies End-to-end message content security and not just transport-level security The OASIS consortium would come up with the security guidelines, and after an approval/ implementation phases would ratify it as a standard.

19 Conclusion SOAP is new. More standardization required. Needs modularization is security. Going in the right direction.

20 We hope NOT!!! ;-)

Download ppt "An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak."

Similar presentations

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Web Service Architecture

Web Service Architecture
Matthew Kubicina CIS 764 Kansas State University.

Matthew Kubicina CIS 764 Kansas State University.
31242/32549 Advanced Internet Programming Advanced Java Programming

31242/32549 Advanced Internet Programming Advanced Java Programming
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
General introduction to Web services and an implementation example

General introduction to Web services and an implementation example
SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.

SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.
Introduction to WSDL presented by Xiang Fu. Source WSDL 1.1 specification WSDL 1.1 specification –http://www.w3.org/TR/wsdl WSDL 1.2 working draft WSDL.

Introduction to WSDL presented by Xiang Fu. Source WSDL 1.1 specification WSDL 1.1 specification – WSDL 1.2 working draft WSDL.
SOAP.

SOAP.
SOAP. Service Broker Basic SOAP Message Exchange Service Consumer Service Provider http transport SOAP message WSDL describing service SOAP message http.

SOAP. Service Broker Basic SOAP Message Exchange Service Consumer Service Provider http transport SOAP message WSDL describing service SOAP message http.
Apache Axis2 SOAP Primer. Agenda What is SOAP? Characteristics SOAP message structure Header blocks Fault notification Exercises.

Apache Axis2 SOAP Primer. Agenda What is SOAP? Characteristics SOAP message structure Header blocks Fault notification Exercises.
SOAP : Simple Object Access Protocol

SOAP : Simple Object Access Protocol
GROUP 3 Larry Gillis Eric Lam Cindy Lee Calvin Nguyen Evgeni Zlatanov.

GROUP 3 Larry Gillis Eric Lam Cindy Lee Calvin Nguyen Evgeni Zlatanov.
SOAP Overview Simple Object Access Protocol CSCI 7818 - Topics in Software Engineering Web Infrastructure, Services, and Applications

SOAP Overview Simple Object Access Protocol CSCI Topics in Software Engineering Web Infrastructure, Services, and Applications
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
CIS 375—Web App Dev II SOAP.

CIS 375—Web App Dev II SOAP.
XML in the real world (2) SOAP. What is SOAP? ► SOAP stands for Simple Object Access Protocol ► SOAP is a communication protocol ► SOAP is for communication.

XML in the real world (2) SOAP. What is SOAP? ► SOAP stands for Simple Object Access Protocol ► SOAP is a communication protocol ► SOAP is for communication.
SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.
Topics Acronyms in Action SOAP 6 November 2008 CIS 340.

Topics Acronyms in Action SOAP 6 November 2008 CIS 340.
1 Web Services – Part I CS 236607, Spring 2008/9.

1 Web Services – Part I CS , Spring 2008/9.

Similar presentations

Ads by Google