web service security through a guard n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web Service Security Through A Guard PowerPoint Presentation
Download Presentation
Web Service Security Through A Guard

Loading in 2 Seconds...

play fullscreen
1 / 30

Web Service Security Through A Guard - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Web Service Security Through A Guard. Roxanne Yee Home Institution: University of Hawai ʻ i at Mānoa Internship Site: Akimeka, LLC Mentor: Marc Lefebvre Advisor: Todd Lawson. Presentation Overview. Project Hierarchy and Motivation Background and Terminology Guard Web Service Security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web Service Security Through A Guard' - makya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web service security through a guard

Web Service Security Through A Guard

Roxanne Yee

Home Institution: University of Hawaiʻi at Mānoa

Internship Site: Akimeka, LLC

Mentor: Marc Lefebvre

Advisor: Todd Lawson

presentation overview
Presentation Overview
  • Project Hierarchy and Motivation
  • Background and Terminology
    • Guard
    • Web Service Security
  • My Specific Part
  • Test Bench
  • An Example
  • Questions
slide3
Information Assurance (IA) Group
    • Cross Domain Solutions (CDS) Group
      • GWSG (Global Web Services Gateway) Project
        • Service Oriented Architecture (SOA) Test Lab
  • Customers
    • National Security Agency (NSA)
    • Defense Information Systems Agency (DISA)
gwsg project motivation
GWSG Project Motivation
  • Goal
    • To enhance the capabilities of a user on a classified network to gain immediate access to data available on an unclassified network

Classified

Network User

Unclassified

Database

gwsg project motivation1

Classified

Database

Unclassified

Database

Classified

Network

User

(Soldier)

Sneaker-net

GWSG Project Motivation
  • One Method Currently Used To Access Data
gwsg project motivation2
GWSG Project Motivation
  • Disadvantages to Current Methods
    • Redundancies of Data
    • Time Costly
      • Replication
      • Transportation
    • Need For Data Synchronization
      • Frequent Updates
    • No Guarantee of Data Availability
    • Extra Manpower by Man-In-The-Loop
gwsg project motivation3
GWSG Project Motivation
  • New Cross Domain Solution (CDS)
    • Web Services Technology

Unclassified

Database

Classified

Network

User

(Soldier)

Guard

soa test lab component
SOA Test Lab Component
  • Goal
    • Evaluate Guards Specified by NSA and DISA
      • Compare capability and effectiveness to process message formats used by web services today
    • Provide the best guard solution given a specific situation in which the guard would be applied
my part in the soa test lab
My Part In The SOA Test Lab
  • Research and Document How To Implement Web Service Security
    • Controlled and Predictable Environment
    • Test Web Service
  • Findings To Be Used In SOA Test Lab
    • Foundation
    • Template
wss soap and http
WSS, SOAP, and HTTP
  • WSS or WS-Security (Web Service Security)
    • OASIS (Organization for the Advancement of Structured Information Standards)
    • Applied to SOAP Messages
  • SOAP (Simple Object Access Protocol)
    • Message Format
  • HTTP (Hypertext Transfer Protocol)
    • Transport Protocol
the project test bench
The Project: Test Bench
  • Client and Server on same computer
  • Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Request and SOAP Response

the project open source software
The Project: Open-Source Software
  • Server Side
    • Tomcat 6.0.16
      • Axis2 1.4
        • Rampart 1.4
  • Client Side
    • soapUI 2.0.2
the project test bench1
The Project: Test Bench
  • Client and Server on same computer
  • Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Request with WSS

soapui outgoing configuration
soapUI Outgoing Configuration

Interface Used to Apply WSS to Request To Server

a soap message request w o wss
A SOAP Message Request w/o WSS

<soap: Envelope xmlns:soap=“http//sample01.policy.samples.rampart.apache.org” xmlns:sam=“http://www.w3.org/2003/05/soap-envelope”>

<soap:Header/>

<soap:Body>

<sam:echo>

<!--Optional:-->

<sam:param0>Hello?</sam:param0>

</sam:echo>

</soap:Body>

</soap:Envelope>

Usual Request soapUI

Sends w/o WSS

a soap message request header with wss
A SOAP Message Request Header with WSS

<soap:Header>

<wsse:Security soap:mustUnderstand=“true” xmlns:wsse=“http://…secext-1.0.xsd”>

<wsse:UsernameToken wsu:Id=“UsernameToken-22786527”

xmlns:wsu:=“http://…utility-1.0.xsd”>

<wsse:Username>alice</wsse:Username>

<wsse:PasswordType=“http://... wss-username-token- profile-1.0#PasswordText”>bobPW

</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

</soap:Header>

Additional WSS Informational

Applied To Usual Request soapUI

the project test bench2
The Project: Test Bench
  • Client and Server on same computer
  • Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Response with WSS

services xml without rampart
services.xml Without Rampart

<?xml version="1.0" encoding="UTF-8"?>

<service>

<operation name="echo">

<messageReceiver class=

"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>

<parameter name="ServiceClass" locked="false">

org.apache.rampart.samples.policy.sample01.SimpleService

</parameter>

<module ref="addressing" />

<!-- RAMPART CONFIGURATION MAY OCCUR HERE -->

</service>

Usual Configuration Scheme

For A Service on The Server

services xml with rampart
services.xml with Rampart

<module ref="rampart" />

<wsp:Policy wsu:Id="UT" xmlns:wsu="http://…” xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All>

<sp:SupportingTokens xmlns:sp="http://…/securitypolicy">

<wsp:Policy><sp:UsernameToken sp:IncludeToken=

"http://…/IncludeToken/AlwaysToRecipient"/>

</wsp:Policy>

</sp:SupportingTokens>

<ramp:RampartConfig xmlns:ramp="http://…>

<ramp:user>username</ramp:user>

<ramp:passwordCallbackClass>

org.apache.rampart.samples.policy.sample01.PWCBHandler

</ramp:passwordCallbackClass>

</ramp:RampartConfig>

</wsp:All></wsp:ExactlyOne></wsp:Policy>

Additional Code To Tell Rampart

What Type of WSS To Expect

the project test bench3
The Project: Test Bench
  • Client and Server on same computer
  • Communicate through localhost interface

Client

(soapUI)

Server

(Axis2)

* SOAP Messages with WSS

the project ultimate purpose

Classified

Unclassified

XML

Firewall

Guard

XML

Firewall

* SOAP over HTTP

with WSS

* Proprietary Format over

Proprietary Protocol

The Project: Ultimate Purpose

Client

(soapUI)

Server

(Axis2)

localhost

wss mechanisms attempted
WSS Mechanisms Attempted
  • User Name Token
    • Username and Password
  • Timestamp
    • Time to Live
  • Encryption
    • Confidentiality
  • Signature
    • Integrity and Authentication
an example test web service
An Example: Test Web Service

Client

“Hi!”

Server

“Hi!”

an example valid user name token
An Example: Valid User Name Token

Client

Correct

Username

And

Password

Server

Echo

an example invalid user name token
An Example: Invalid User Name Token

Client

Incorrect

Username

And/Or

Password

Server

Error

acknowledgements
Acknowledgements

VP Operations

Matt Granger

Program Manager

Todd Lawson

Mentor

Marc Lefebvre

GWSG

Bryan Berkowitz

Casey McGinty

Scott Oshita

Christopher Paris

Derek Terawaki

Helpful Coworkers

Conrado Cortez

Deanna Garcia

Mark Mizubayashi

Former Cubiclemates

Ellen Federoff

Kelly Ledford

And Everyone Else Who Made Me Feel Welcome!

acknowledgements1
Acknowledgements

Maui Akamai Internship Program

Funding

Center for Adaptive Optics (CfAO)

  • National Science Foundation and Technology Center Grant (#AST-987683)

Akamai Workforce Initiative

  • National Science Foundation Grant and Air Force Office of Scientific Research Grant (#AST-0710699)
  • University of Hawaiʻi Grant

Program Staff

Lisa Hunter

Lani LeBron

Scott Seagroves

Lynne Raschke

Short Course Instructors

Dave Harrington

Ryan Montgomery

Isar Mostafanezhad

Mark Pitts

Sarah Sonnet

And Everyone Else Who Contributed To This Valuable Experience!

thank you

Thank you!

Any Questions?