1 / 37

Web Services Security Patterns , Practices & Threats

Explore the evolution of security patterns and best practices in web services with industry expert Prabath Siriwardena. This session delves into the implementation of various authentication models such as SAML2 Web SSO, OAuth, and WS-Security. Gain insights into recurring security challenges and solutions such as mutual authentication, direct authentication, and the use of security tokens. Learn how these frameworks address issues related to message level security, secure conversations, and the establishment of authenticated contexts for efficient information exchange.

violet
Download Presentation

Web Services Security Patterns , Practices & Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services SecurityPatterns, Practices&Threats Prabath Siriwardena – Software Architect, WSO2

  2. Plan for the session Patterns Standards Implementations

  3. Recurring Problems

  4. 1995 1997

  5. 1999

  6. 2004

  7. 2005 SAML2 Web SSO

  8. 2008/May

  9. Direct Authentication for Web Services Basic Authentication Mutual Authentication Transport Level 2-legged OAuth

  10. Direct Authentication for Web Services UsernameToken Profile with WS-Security Message Level Signing – X.509 Token Profile with WS-Security

  11. Brokered Authentication for Web Services Mutual Authentication Transport Level 2-legged OAuth

  12. Brokered Authentication for Web Services WS-Trust / STS Resource STS WS-Federation Message Level Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security

  13. 2006/April

  14. 2006/June

  15. 2008/2009

  16. 2008/2009

  17. 2008/2009

  18. 2007/Dec

  19. 2007/Dec

  20. ActAs in WS-Trust 1.4

  21. 2005/Feb

  22. Security Solution Patterns Message Interceptor Gateway Pattern Message Level Trusted Sub System Pattern

  23. SOAP Security UsernameToken Profile Message Level

  24. SOAP Security Key Identifiers X.509 Token Profile & Key Referencing Message Level Direct References

  25. SOAP Security Symmetric Binding Vs Asymmetric Binding Message Level

  26. SOAP Security • WS-Security secures SOAP – focuses on message level security • Focuses on a single message authentication model • Each message contains everything necessary to authenticate it self • Suitable for a coarse grained messaging in which a single message at a time from the same requestor is received Message Level WS – Secure Conversation

  27. SOAP Security • What SSL does at the transport level in point-to-point communication, WS-SecureConversation does at the SOAP layer • Removes the need of individual SOAP message carrying authentication information. • Establishes a mutually authenticated security context in which a series of messages are exchanged. • Uses public key encryption to exchange a shared secret and then onwards uses the shared key Message Level WS – Secure Conversation

  28. SOAP Security WS-Trust Message Level

  29. SOAP Security Message Level Sender Vouches – Subject Confirmation

  30. SOAP Security Holder-of-Key – Subject Confirmation Message Level

  31. SOAP Security WS-Security Policy Message Level

  32. prabath@wso2.com Thank You…!!!

More Related