Soa security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

SOA Security PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on
  • Presentation posted in: General

SOA Security. Dr. Yuhong Yan. Content. Security Issues overview Security for SOA. Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning, 2008. Security Issues Overview. Authentication Authorization Data confidentiality Data integrity an nonrepudiation

Download Presentation

SOA Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Soa security

SOA Security

Dr. Yuhong Yan


Content

Content

  • Security Issues overview

  • Security for SOA

Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning, 2008


Security issues overview

Security Issues Overview

  • Authentication

  • Authorization

  • Data confidentiality

  • Data integrity an nonrepudiation

  • Protection against attacks

  • Privacy protection


New security approaches for soa

New Security Approaches for SOA

  • Besides the following issues

    • Authentication

    • Authorization

    • Data confidentiality

    • Data integrity an nonrepudiation

    • Protection against attacks

    • Privacy protection

  • SOA has three new security approaches

    • Message-level security

    • Security as a service

    • Policy-driven security


Authentication

Authentication

Verifying the identity of users


Traditional authentication strategy

Traditional Authentication Strategy

  • The application is responsible for examining the evidence and validating it

    • A directory server that records all the user-password pairs

    • An algorithm that matches the number presented by the user and the number that is used on the RSA token


Authentication strategy in soa

Authentication Strategy in SOA


Authorization

Authorization

Determine whether the identified user is authorized to access the functionality

  • Another name: access control

  • Compare authentication and authorization

    • Authentication: your photo ID

    • Authorization: allow to buy a drink?


Traditional authorization strategy

Traditional Authorization Strategy

  • The application is responsible for authorization, some information used is in a directory server or a configuration repository

    • Access control models

      • Role-based Access Control

      • Access Control List (rules)


Authorization strategy in soa

Authorization Strategy in SOA

  • The composite app cannot hard code authorization function

  • The individual services in the composite app have to do this


Data confidentiality

Data Confidentiality

Data exchanged over a network needs to be safeguarded

  • Traditional strategy to ensure data confidentiality

    • Encryption

    • Establish a secure channel

      • Secure Sockets Layer (SSL)/Transport Layer Security (TLS)


Data confidentiality protection strategy in soa

Data Confidentiality Protection Strategy in SOA

  • Encryption

  • Establish a secure channel

    • SSL/TLS

  • Different recipients process different part of the message

To ACME

My order

My acct info

bank

ACME

To bank

Acct info


Data integrity and nonrepudiation

Data Integrity and Nonrepudiation

Verify that the message received is what the sender sent; the sender should not able to deny having sent a msg

  • SSL/TLS also helps in verifying the integrity and ensuring nonrepudiation

  • SSL/TLS can be used for SOAP transport

    • Blanket encryption

  • We can have selective encryption also


Protection against attacks

Protection Against Attacks

  • Vulnerabilities in application code

    • SQL code

  • Vulnerabilities introduced by poor administrative practices

    • The default password

  • Vulnerabilities inherent in computing/network infrastructuure

    • TCP/IP


Traditional strategy for protection against attacks

Traditional Strategy for Protection Against Attacks

  • Using firewall

  • Run applications within sandboxes

  • Carefully audit application code

  • Use intrusion detection systems


Strategy for protection against attacks in soa

Strategy for Protection against Attacks in SOA

  • Vulnerable to denial of service (DoS) attacks

  • No further discussion in this course


Privacy protection

Privacy Protection

Avoid leakage of users’ private information

  • Flaws in access control rules

    • Who can access sensitive data

  • Vulnerabilities exploited by attackers

    • Inject SQL that queries sensitive data


Strategy for privacy protection

Strategy for Privacy Protection

  • Enhance security

    • Remove the vulnerabilities

  • Holding back real identifies

  • Protect the patterns that associate with sensitive data

  • No more discussion in this course


Extending soap with headers for security

Extending SOAP with Headers for Security


Inside soap

Inside SOAP

SOAP message

Envelope (required)

Header (optional)

Header Entry1

Header Entry n

Body (required)

Fault (optional)


Header

Header

  • For authentication, transaction management, and authorization, routing

  • Standard extensions

  • Customerized extensions


Standard header entry attributes

Standard header entry attributes

  • Who should deal with the header entry?

    • actor attribute: e.g. a URI

    • The chained nodes: intermediaries

  • What do we do with the header entry?

    • mustUnderstand attribute: true /false

    • force the recipient to process the element, if not understandable, return a fault

  • What do we parse data in the header entry?

    • encodingStyle attribute: e.g. XML schema


An example for header

An Example for Header

<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>

<SOAP-ENV:Header>

<ns1:PaymentAccount xmlns:ns1=“urn:ecerami”

SOAP-ENV:actor=“http://schemas.xmlsoap.org/soap/actor/next””

SOAP-ENV:mustUnderstand=“true”

SOAP-ENV:encodingStyle =“http//schemas.xmlsoap.org/soap/encoding”>

orsenigo473

</ns1:PaymentAccount>

</SOAP-ENV:Header>


Fault

Fault

  • faultCode

    • SOAP-ENV:VersionMismatch

    • SOAP-ENV:MustUnderstand

    • SOAP-ENV:Client (non existing methods)

    • SOAP-ENV:Server (not able to access DB)

  • faultString

  • faultActor

  • Detail info about the fault


Fault1

Fault

<?xml version=‘1.0’ encoding=‘UTF-8’?>

<SOAP-ENV:Envelope

xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”

xmlns:xsi=“http://www.w3.org/1999/XMLSchema-instance”

xmlns:xsd=“http://www.s3.org/1999/XMLSchema”>

<SOAP-ENV:Body>

<SOAP-ENV:Fault>

<faultcode xsi:type=“xsd:string”>SOAP-ENV:Client</faultcode>

<faultstring xsi:type=“xsd:string”>

Failed to locate method (ValidateCreditCard) in class

(examplesCreditCard) at /usr/local/ActivePerl-5.6/lib/

site_perl/5.6.0/SOAP/Lite.pm line 1555.

</faultstring>

</SOAP-ENV:Fault>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

P55. xml part (for faults)


Ws security standard extension for security

WS-Security: Standard Extension for Security


Security header security claims

Security Header: security claims

  • “My name is X.”

  • “X is authorized to access this resource.”

  • “This message is signed by X.”

  • “This message is encrypted using X’s public key.”


An example for security header

An Example for Security Header

<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>

<SOAP-ENV:Header>

<wsse:Security …

<wsse:UsernameToken wsuID=“1”>

<wsse:Username>

<xenc:EncryptedData> … </xenc:EncryptedData>

</wsse:Username>

<wsse:Password>

<xenc:EncryptedData> … </xenc:EncryptedData>

</wsse:Password>

</wsse:UsernameToken>

</SOAP-ENV:Header>

</SOAP-ENV:Header>


Fault code

Fault Code


Programming on security headers

Programming on security headers

  • The pattern of handler in JAX-RPC

    • Compose the elements in headers

  • The chained handlers

    • Axis Web service deployment description (.wsdd)


Intermediaries and ws addressing

Intermediaries and WS-Addressing

interm1

interm1

source

dest

<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/…>

<SOAP-ENV:Header>

<was:To xmlns:was=“…/ws/2004/08/addressing”>

http://localhost:8080/axis/services/example6

</was:To>

<was:Action xmlns:was=“…/ws/2004/08/addressing”>

</wasAction>

<wsse:Security soapenv:actor=“…”>

</wsse:Security>

</SOAP-ENV:Header>

WS-Addressing


  • Login