WEB SERVICE SECURITY Lecturer: TrầnThịQuếNguyệt Students: TrầnTrúcGiang NguyễnThịHòaBình
Outline • Web Service Introduction • XACML • SAML • Shibboleth
Web Service Introduction • Service-Oriented architecture (SOA) • Web service definition • Web Service Description Language (WSDL) • Simple Object Access Protocol (SOAP) • Universal Description, Discovery and Integration (UDDI)
Service-Oriented architecture (SOA) • W3school.com: • SOA is a mechanism that enables organizations to facilitate communication between the systems running on multiple platforms • SOA is a collection of well-defined services, each individual service can be modified independently of other services to help respond to the ever-evolving market conditions of a business • SOA presents the big picture of what you can do with web services
What are Web Services? • W3C’s Definition: a software system designed to support interoperable machine-to-machine interaction over a network. • Web services: • application components • communicate using open protocols • self-contained and self-describing • can be discovered using UDDI • can be used by other applications • XML is the basis for Web services
Web services platform elements • SOAP (Simple Object Access Protocol) • UDDI (Universal Description, Discovery and Integration) • WSDL (Web Services Description Language)
SOAP (Simple Object Access Protocol) • SOAP is an XML-based protocol to let applications exchange information over HTTP. • Or more simple: SOAP is a protocol for accessing a Web Service.
WSDL (Web Services Description Language) • WSDL is an XML-based language for locating and describing Web services. • WSDL file: <?xml version="1.0" encoding="utf-8" ?> - <definitions xmlns:s="http://www.w3.org/2001/XMLSchema“ ..... xmlns="http://schemas.xmlsoap.org/wsdl/"> + <types> + <message name=“addSoapIn"> + <message name=“addSoapOut"> + <portType name=“TestWSSoap"> + <binding name=“TestWSSoap" type=“TestWSSoap"> + <service name="TestWS"> </definitions>
UDDI (Universal Description, Discovery and Integration) • UDDI is a directory service where companies can register and search for Web services
XML Security for Web Services • The XML Signature specification is a joint effort of W3C and IETF. It aims to provide data integrity and authentication (both message and signer authentication) features, wrapped inside XML format. • W3C's XML Encryption specification addresses the issue of data confidentiality using encryption techniques. Encrypted data is wrapped inside XML tags defined by the XML Encryption specification. • WS-Security from OASIS defines the mechanism for including integrity, confidentiality, and single message authentication features within a SOAP message. WS-Security makes use of the XML Signature and XML Encryption specifications and defines how to include digital signatures, message digests, and encrypted data in a SOAP message.
XML Security for Web Services • Security Assertion Markup Language (SAML) • eXtensible Access Control Markup Language (XACML)
Outline • Web Service Introduction • XACML • SAML • Shibboleth
XACML • The eXtensible Access Control Markup Language (XACML) is an XML vocabulary for expressing access control policies. • Access control consists of deciding if a requested resource access should be allowed and enforcing that decision. • Access control policies are the criteria for making access control decisions. • The XACML core specification defines the syntax of the language and the rules for evaluating policies.
Preferred terms • Resource: Data, service or system component. • Subject: An actor whose attributes may be referenced by a predicate. • Action • An operation on a resource. • Four kinds of actions: read, write, create, and delete. • Environment: The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or action.
Preferred terms • Attribute: Characteristic of a subject, resource, action or environment that may be referenced in a predicate or target. • Context: The canonical representation of a decision request and an authorization decision. • Context handler: The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.
XACML - Advantages • According to Sun, XACML has a number of advantages over other access-control policy languages: • One standard access control policy language can replace dozens of application-specific languages • Administrators save time and money because they don't need to rewrite their policies in many different languages • Developers save time and money because they don't have to invent new policy languages and write code to support them. They can reuse existing code
XACML - Advantages • Good tools for writing and managing XACML policies will be developed, since they can be used with many applications • XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. • One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. • XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.
XACML - Limitations • XACML is verbose and complex in some ways. • Interactions involving PAP, PIP, etc., are not standardized. • Policy administration, policy versioning, etc., are not standardized.
SAML Security Assertions Markup Language
Single Sign-on (SSO) • SSO is a property of access control of multiple, related, but independent software systems. • With this property a user • logs in once • gains access to all systems without being prompted to log in again at each of them.
Why choose single sign-on? • User needs to remember multiple usernames and passwords to access different applications on a network. • This poses a huge cost for the administration and support departments. • Authentication is a horizontal requirement across multiple applications, platforms, and infrastructures.
Why choose single sign-on? • The objective of SSO • Allow users access to all applications from one logon. • Provide a unified mechanism to manage the authentication of users and implement business rules determining user access to applications and data. • Benefits include the following: • Improved user productivity. • Improved developer productivity. • Simplified administration.
Implementing SSO requires • Identity Provider (IdP): The system, or administrative domain, that asserts information about a subject. • Service Provider (SP): The system, or administrative domain, that relies on information supplied to it by the Identity Provider. It is up to the Service Provider as to whether it trusts the assertions provided to it. • Exchanges of authentication and authorization data between an IdP and an SP are effected by means of an XML standard called the Security Assertion Markup Language (SAML).
SAML - Introduction • The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. • As stated in the SSTC charter, the purpose of the Technical Committee is: • to define, enhance, and maintain a standard XML-based framework • for creating andexchanging authentication and authorization information.
SAML – Use case • There are four “drivers” behind the creation of the SAML standard: • Limitations of Browser cookies • SSO Interoperability • Web Services • Federation