Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using WSS4J and Axis to Secure Web Services in the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc.

Published byMaximillian Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Using WSS4J and Axis to Secure Web Services in the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc."— Presentation transcript:

1 Using WSS4J and Axis to Secure Web Services in the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc.

2 Agenda Introduction Part 1 – Web Services Security Implementation for the Government’s Horizontal Fusion Program Part 2 – Web Services Security for a Not-To- Be-Named Current Government Program Part 3 – Resources, code, etc.

3 Introduction Kevin T. Smith –Director of SOA & Semantics Security Team (S3T) at McDonald Bradley –Focused on Information Assurance & SOA Author/Co-Author of Several Technology Books and Articles Contact Info: –ksmith@mcdonaldbradley.com orksmith@mcdonaldbradley.com –kevintsmith@comcast.netkevintsmith@comcast.net

4 Part 1: Horizontal Fusion

5 What is Horizontal Fusion (HF)? From Web Site (http://www.horizontalfusion.dtic.mil/) :http://www.horizontalfusion.dtic.mil/ –“As an award-winning effort consistent with the goals and guidance for military transformation, Horizontal Fusion has been organized to focus technology on the information-sharing challenges of net-centric warfare and to demonstrate innovation and benefit quickly…” military transformationnet-centric –“Horizontal Fusion deploys web-services to leverage existing and emerging technologies in a secure environment.” From A Technology Perspective: –Lots of Data, Everything exposed as web services –Large amount of data, many participants, large amount of services –Much web service chaining, federated search capabilities –Government requirements mandated very strong security

6 HF Technology History 2003 – Initial Phase, Deployment of Many Web Services 2004 - Developed Security Toolkit using Apache WSS4J & Apache Axis handlers –Done for Axis 1.1 and 1.2 –Used WSS4J “snapshot” at that point + OpenSAML (updated WSS4J in early ’05) 2004-Present : In Production

7 HF Message Format: NCES Security SOAP Messaging Net-Centric Enterprise Services http://www.disa.mil/main/prodsol/cs_nces.html

8 Use of SAML for Access Control For Message Requests: –Security Roles of the User is sent in SAML in the SOAP Header –The Clearance of the Subject is sent in SAML –The Security Label of the Subject’s Request is also in SAML For Message Responses: –The Security Label of the Response is set by the Web Service –The Server Handler Response Controls Access Based On The Label That Was Returned By the Web Service –If Label is Authorized for User, Server Handler Creates The Return Message, entering Security Label of the Message, and Digitally Signing The Message Before It is returned to the Requester Authentication Statement Subject Clearance Attribute Statement Subject Message Label Attribute Statement Subject Security Roles Attribute Statement SAMLAssertion Subject Message Label Attribute Statement SAMLAssertion In Request: In Response:

9 Back to Message Format: Use of SAML for Access Control -If SAML contains attributes And local policy is expressed, “local” PDP was used -If SAML contains only identity, “central” PDP was used

10 About Our Use of Axis Handlers Security Handlers create secure messages –A Client Handler (on request) adds a WS-Security Header with a SAML Assertion on behalf of a subject (the user) (Client RequestFlow) –A Server Handler (on response) creates a WS-Security Header on behalf of the Web Service (Server Response Flow) Security Handlers validate messages –A Server Handler (on request) validates a web service message, can control access by role – before the web service is called (Server RequestFlow) –A Client Handler (on response) validates the message created by the web service (Client Response Flow) Web Service Client Handler Server Handler Web Service

11 Web Service Client Requests WS Client creates a “SecurityInfo” object and places it in the MessageContext for Apache Axis to use –SecurityInfo object contains information about the Message being sent and the Subject for which the message is being sent –Simple Example of Instantiating SecurityInfo: –Examples of Passing the information to Axis: javax.xml.rpc.Call call = vs.createCall(new QName(NS,port), "getVersion"); call.setProperty("SECURITY_INFO", sinfo) System.out.println(call.invoke(null)); VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("SECURITY_INFO", sinfo); Version v = (Version)stubby; System.out.println(v.getVersion()); SecurityInfo sinfo = new SecurityInfo("cn=Kevin T. Smith, o=McDonald Bradley, c=US"); sinfo.addRole("user.operator"); sinfo.addRole("user.analyst"); sinfo.addSubjectClearanceDataItem("S"); sinfo.addSubjectCitizenshipDataItem("USA"); sinfo.addMessageClassificationDataItem("S"); WS Client

12 Axis Client Request Flow Client Handler intercepts the message as part of the Axis Handler Chain Client Handler pulls the SecurityInfo object from the MessageContext –SecurityInfo = (SecurityInfo)messageContext.getProperty(“SECURITY_INFO”); Client Handler builds the WS-Security Header with WSS4J –Adds unique MessageId –Adds Timestamp –Adds SAML Assertion with data from SecurityInfo object. –Signs MessageId, Timestamp, SAML Assertion, and Message Body with certificate to create NCES Security-Compliant Message WS Client Handler

13 Axis Server Request Flow Server Handler intercepts the request message as part of the Axis Handler chain Access Control: –Calls a service to check revocation status of certificate –Validates the signatures on the message –Verifies the Timestamp is within a configurable window & verifies that messageID has not been previously used to prevent replay attack –Determines if Subject can access this Service, based on attributes in SAML assertion & locally expressed policy, or via a call to Policy Service –If any of these fail, throws a SOAP fault Creates a SecurityInfo object from the SAML assertion passed in Web Service gets the message WS Client Handler Server Handler WS

14 Axis Server Response Flow After processing the request, Web Service creates a SecurityInfo object for the label of the data and places it in the MessageContext before sending the response message. Axis Server Handler intercepts the message as part of the Axis Handler chain. –Determines if the message contains a SOAP Fault. If so, it stops processing –It creates a NCES Secure message, but the SAML assertion now has the label of the data (no user information) Server Handler WS Client Handler

15 Client Response Flow Response from server is intercepted by the Client Handler as part of the Axis Handler chain If SOAP Fault is found in the message no authentication of message is done Calls a service to check revocation status of certificate Signature on MessageId, Timestamp, SAML Assertion, and Message body is verified. MessageId uniqueness is verified. Timestamp is validated against allowed window. Message is returned to client for processing. Server Handler WS Client Handler

16 Common Usage Example Server Handler Portal 1. Client Handler 3. 5. 2. 17. 18. 20. CVS 4. IFIS 6. 7. Client Handler 8. Server Handler 11. PDS 10. 9. SWS Provider 12. 13. 14. 16. CVS 15. 19.

17 Use of WSS4J in Axis Handlers Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: /* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); /* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ /* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP); WSSignEnvelope signer = new WSSignEnvelope(); signer.setKeyIdentifierType(m_keyid); signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); /* On validate.. */ WSSecurityEngine engine = new WSSecurityEngine(); engine.processSecurityHeader(doc, null, null, crypto);

18 Web Service Approach to Labels and Mandatory Access Control MAC enforcement functionality at the Handler Level On Request: –Authenticating Web Service Client sets clearance and citizenship of user and security label of message –Client Handler adds this to the message before signing It –Web Service Server Handler controls access based on message label, security label – based on “high water mark” of intended web service –Web Service, before it responds, can set a security label on response message On Response: –Server Handler gets security label of message from WS returning data –Server Handler controls label access based on user’s clearance, and the security label of message –Server Handler creates message with label –Client Handler validates message –Web Service Client Gets Response

19 Use of WSS4J in Axis Handlers Original development in 2004, used it with OpenSAML (it wasn’t a part of it back then) Didn’t use WSS4J handlers, but used WSS4J objects with DOM manipulation to create security messages & validate them: /* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants); /* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/ /* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP); WSSignEnvelope signer = new WSSignEnvelope(); signer.setKeyIdentifierType(m_keyid); signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto()); /* On validate.. */ WSSecurityEngine engine = new WSSecurityEngine(); engine.processSecurityHeader(doc, null, null, crypto);

20 Original Code on HF Web Site Code with ANT build, examples, sample keystores was put on government site in 2004 http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip

21 Part 2: Use of WSS4J & Axis In Current Gov’t Program

22 Security Architecture Mutual SSL authentication between browser and web application to authenticate user identity 2-way SSL between web application and web services to assert message sender identity X.509 Certificate in WS- Security header used to assert user identity WS using another security framework on back-end, but needed something on client side: Tomcat & Axis & WSS4J

23 A Glance at Axis/WSS4J Code //In Servlet/JSP code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); //.. //Put that in the property Axis uses VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("CLIENT_CERT", certs[0]); //passes in the X509Certificate object Version v = (Version)stubby; System.out.println(v.getVersion()); //In client request handler: X509Certificate cert = (X509Certificate)inoutContext.getProperty("CLIENT_CERT"); /* Make a binarySecurityToken element */ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document doc = builder.newDocument(); org.apache.xml.security.Init.init(); X509Security binaryToken = new X509Security(doc); binaryToken.setX509Certificate(cert); /* Now create a WS-Security Header, and put the Binary Token Under It */ WSSecHeader wsh = new WSSecHeader(); wsh.setMustUnderstand(false); Element e = wsh.insertSecurityHeader(origDoc); Node dup = origDoc.importNode(binaryToken.getElement(), true); e.appendChild(dup); Message newMsg = (Message)toSOAPMessage(origDoc); inoutContext.setRequestMessage(newMsg);

24 Conclusion We found that WSS4J and Apache Axis were easy to use to build a complex Web Services Security Solution Interoperability issues – –Originally (in early 2004) WS-Security namespace changes made interoperability difficult –Now, no such problems – interoperates with.NET solutions, and Axis client handler with WSS4J in current project interoperates well with BEA weblogic ALSB security subsystem.

25 Questions?

Download ppt "Using WSS4J and Axis to Secure Web Services in the U. S. Government Kevin T. Smith Technical Director, McDonald Bradley Inc."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
X.509 Certificate management in.Net By, Vishnu Kamisetty

X.509 Certificate management in.Net By, Vishnu Kamisetty
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.

Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Pragmatic XML security Hans Granqvist, ApacheCon 2005.

Pragmatic XML security Hans Granqvist, ApacheCon 2005.
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Similar presentations

Ads by Google