Web Services Security Patterns , Practices & Threats

Post on 23-Feb-2016

41 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Web Services Security Patterns , Practices & Threats. Prabath Siriwardena – Software Architect, WSO2. Plan for the session. Patterns. Standards. Implementations. Recurring Problems. 1995. 1997. 1999. 2004. 2005. SAML2 Web SSO. 2008/May. Direct Authentication for Web Services. - PowerPoint PPT Presentation

Transcript of Web Services Security Patterns , Practices & Threats

Web Services Security

Patterns, Practices

&

Threats

Prabath Siriwardena – Software Architect, WSO2

Patterns

Standards

Implementations

Plan for the session

Recurring Problems

Patterns

Authentication Patterns

Confidentiality Patterns

Authorization Patterns

1995 1997

1999

2004

2005

SAML2 Web SSO

2008/May

AuthenticationPatterns

Direct Authentication

Brokered Authentication

Basic Authentication

Mutual Authentication

2-legged OAuth

Direct Authentication for Web Services

Tran

spor

t Lev

el

UsernameToken Profile with WS-Security

Signing – X.509 Token Profile with WS-Security

Direct Authentication for Web Services

Mes

sage

Lev

el

Mutual Authentication

2-legged OAuth

Brokered Authentication for Web Services

Tran

spor

t Lev

el

WS-Trust / STS

WS-Federation

Brokered Authentication for Web Services

Mes

sage

Lev

el

Signing – X.509 Token Profile with WS-Security

Kerberos Token Profile for WS-Security

Resource STS

2006/April

2006/June

2008/2009

2008/2009

2008/2009

2007/Dec

2007/Dec

AuthorizationPatterns

Direct Authorization

Delegated Authorization

AuthorizationPatterns

Direct Authorization

Delegated Authorization

ActAs in WS-Trust 1.4

2005/Feb

Message Interceptor Gateway Pattern

Trusted Sub System Pattern

Security Solution PatternsM

essa

ge L

evel

UsernameToken Profile

SOAP SecurityM

essa

ge L

evel

X.509 Token Profile & Key Referencing

Mes

sage

Lev

elSOAP Security

Key Identifiers

Direct References

Symmetric Binding Vs Asymmetric Binding

Mes

sage

Lev

elSOAP Security

Mes

sage

Lev

elSOAP Security

• WS-Security secures SOAP – focuses on message level security

• Focuses on a single message authentication model

• Each message contains everything necessary to authenticate it self

• Suitable for a coarse grained messaging in which a single message at a time from the same requestor is receivedW

S – S

ecur

e Co

nver

satio

n

Mes

sage

Lev

elSOAP Security

WS

– Sec

ure

Conv

ersa

tion

• What SSL does at the transport level in point-to-point communication, WS-SecureConversation does at the SOAP layer

• Removes the need of individual SOAP message carrying authentication information.

• Establishes a mutually authenticated security context in which a series of messages are exchanged.

• Uses public key encryption to exchange a shared secret and then onwards uses the shared key

WS-Trust

Mes

sage

Lev

elSOAP Security

Sender Vouches – Subject ConfirmationMes

sage

Lev

elSOAP Security

Mes

sage

Lev

elSOAP Security

Holder-of-Key – Subject Confirmation

WS-Security Policy

Mes

sage

Lev

elSOAP Security

Thank You…!!!

prabath@wso2.com

Top related

Architecture patterns and practices
 Technology
@ Microsoft patterns and practices · Distributed agile Development @ Microsoft patterns and practices Ade Miller Principle Development Lead Microsoft patterns & practices group
 Documents
JavaScript Practices & Design Patterns
 Software
Best Practices and Controls for Mitigating Insider Threats · Best Practices and Controls for Mitigating Insider Threats George Silowash Team Member, Technical Solutions ... Block
 Documents
Best Practices and Design Patterns for Defense …...Patterns and Practices Motivation • Patterns facilitate reuse of successful software architectures, designs, and proven solutions•
 Documents
A Worst Practices Guide to Insider Threats: Lessons from ......brought together experts to compare challenges and best practices regarding insider threats across organizations and
 Documents
Patterns and Biases of Climate Change Threats in the IUCN ...
 Documents
Improving Web Application Security · Improving Web Application Security Threats and Countermeasures patterns & practices J.D. Meier, Microsoft Corporation Alex Mackman, Content Master
 Documents
Best Practices for Mitigating and Investigating Insider Threats
 Documents
Software Development Practices Patterns
 Software
Serverless Architectural Patterns and Best Practices...Serverless Architectural Patterns and Best Practices Agenda Serverless characteristics and practices 3-tier web application Batch
 Documents
Bpm Patterns Practices 1631411
 Documents
Advanced threats 3 steps to safety - DeLaune and Associates · Visualize threats Uncover patterns Stop attacks Advanced threats 3 steps to safety Today’s advanced threats can be
 Documents
Best Practices and Design Patterns
 Documents
Coding with LINQ, Patterns & Practices
 Technology
OSB Patterns and Best Practices
 Documents
ArcGIS Server Security Threats & Best Practices 2014
 Documents
Grails patterns and practices
 Technology
A Worst Practices Guide to Insider Threats: Lessons from ... · A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes Matthew Bunn and Scott D. Sagan Insider threats
 Documents
Build Patterns - Patterns und Best Practices für den Build Prozess
 Documents

Copyright © 2022 FDOCUMENTS