Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as...
-
Upload
millicent-morrison -
Category
Documents
-
view
218 -
download
2
Transcript of Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as...
Secure Web Services with
Apache Rampart/C
2
Why to secure web services?
The world is not nice, as it seems !!!
3
Threats
Common to distributed systems Specific to web services
4
Common threats
Message replays Identity spoofing DOS attacks Message alteration/Integrity Confidentiality issues
5
Threats on web services
Public disclosure UDDI, WSDL SOAP bound to HTTP/SMTP can easily pass
through firewalls Unpredictable order of service invocation Less human scrutiny Limitations of SOAP
Origin verification Integrity, confidentiality
6
That's why...
WS-Security*
7
Transport Level Vs Message Level Security
8
Why Message Level Security? Multiple intermediaries
Operations to messages Observation
Security even after the safe delivery Non-repudiation Secure specific parts of the message
?
9
Rampart/C Features
Timestamps Username Token Profile X509 Token Profile SOAP message encryption SOAP message signature WS-Security Policy Support Replay detection
10
Overview
11
Detailed Architecture
12
OMXMLSecurity
13
Apache Axis2/C deployment
Client axis2.xml [Engage] policy.xml [Policy]
Service services.xml [Engage + Policy] axis2.xml [Engage : optional]
14
Apache Axis2/C deployment
15
An Encrypted Message
16
Rampart/C usages
WSF/C WSF/PHP WSF/Ruby
17
Security in WSF/PHP
18
Secured WSF/PHP Client
1.Create an array of security properties
2.Creating a policy object populated with the above security property array
3.Creating a WSSecutiyToken object4.Creating a WSClient object 5.Request
19
$rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem');
$reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString"));
$sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken");
$policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert));
$client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token));
$resMessage = $client->request($reqMessage);
PHP Client example
20
Secured WSF/PHP Service
1.Create an array of security properties
2.Creating a policy object populated with the above security property array
3.Creating a WSSecutiyToken object4.Creating a WSService object 5.Reply
21
PHP Service example$pub_key = ws_get_cert_from_file("/your/path/to/cert.cert");$pvt_key = ws_get_key_from_file("/your/path/to/key.pem");
$operations = array("echoString" => "echoFunction");
$sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial");
$actions = array("http://php.axis2.org/samples/echoString" => "echoString");
$policy = new WSPolicy(array("security"=>$sec_array));$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key));
$svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token));
$svr->reply();
22
Would Rampart/C be enough? NO...!!!
There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection
Design your services carefully and use Rampart/C
23
What's ahead?
WS-Secure Conversation WS-Trust WS-Federation
24
Questions?
25
More readings...
http://wso2.org/library/2814 http://wso2.org/library/2917 http://wso2.org/library/2702