Secure Web Services with

Apache Rampart/C

2

Why to secure web services?

The world is not nice, as it seems !!!

3

Threats

Common to distributed systems Specific to web services

4

Common threats

Message replays Identity spoofing DOS attacks Message alteration/Integrity Confidentiality issues

5

Threats on web services

Public disclosure UDDI, WSDL SOAP bound to HTTP/SMTP can easily pass

through firewalls Unpredictable order of service invocation Less human scrutiny Limitations of SOAP

Origin verification Integrity, confidentiality

6

That's why...

WS-Security*

7

Transport Level Vs Message Level Security

8

Why Message Level Security? Multiple intermediaries

Operations to messages Observation

Security even after the safe delivery Non-repudiation Secure specific parts of the message

?

9

Rampart/C Features

Timestamps Username Token Profile X509 Token Profile SOAP message encryption SOAP message signature WS-Security Policy Support Replay detection

10

Overview

11

Detailed Architecture

12

OMXMLSecurity

13

Apache Axis2/C deployment

Client axis2.xml [Engage] policy.xml [Policy]

Service services.xml [Engage + Policy] axis2.xml [Engage : optional]

14

Apache Axis2/C deployment

15

An Encrypted Message

16

Rampart/C usages

WSF/C WSF/PHP WSF/Ruby

17

Security in WSF/PHP

18

Secured WSF/PHP Client

1.Create an array of security properties

2.Creating a policy object populated with the above security property array

3.Creating a WSSecutiyToken object4.Creating a WSClient object 5.Request

19

$rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem');

$reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString"));

$sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken");

$policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert));

$client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token));

$resMessage = $client->request($reqMessage);

PHP Client example

20

Secured WSF/PHP Service

1.Create an array of security properties

2.Creating a policy object populated with the above security property array

3.Creating a WSSecutiyToken object4.Creating a WSService object 5.Reply

21

PHP Service example$pub_key = ws_get_cert_from_file("/your/path/to/cert.cert");$pvt_key = ws_get_key_from_file("/your/path/to/key.pem");

$operations = array("echoString" => "echoFunction");

$sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial");

$actions = array("http://php.axis2.org/samples/echoString" => "echoString");

$policy = new WSPolicy(array("security"=>$sec_array));$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key));

$svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token));

$svr->reply();

22

Would Rampart/C be enough? NO...!!!

There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection

Design your services carefully and use Rampart/C

23

What's ahead?

WS-Secure Conversation WS-Trust WS-Federation

24

Questions?

25

More readings...

http://wso2.org/library/2814 http://wso2.org/library/2917 http://wso2.org/library/2702