View Full Document


Unformatted text preview:

What are Web Services Business logic or applications on Internet Collection of web and object oriented technologies Web Services Security by Shilpa Venugopal Nagalakshmi Kohareswaran What are Web Services Example Tour operator who offers customizable vacation tours Tours contain all the information related to destinations hotels to stay at car rentals flights to take etc Tour operator needs to communicate with its partner hotels and car rental companies Done by means of web services Partner hotels offer remote access of information such as room rents availability booking etc by means of services Public services Room availability Private services Discount rates for partners Links Web based applications running on different hardware software database or network platforms Enables integration of applications across enterprise boundaries providing seamless collaboration with partners customers and suppliers What are Web Services Tourist Hotel Tour Operator Integration Modules Car Rental Partner Businesses What are Web Services What are Web Services Services hosted on SOAP server running on a Web server Accessed by SOAP over HTTP protocol Hotel Web Services SOAP is Simple object access protocol SOAP XML messages using SOAP specifications Web Service Client SOAP over HTTP Private GetBookings GetDiscountRates Hotel SOAP Server Public GetRoomsAvail GetRoomRates Web service method call appears as an URL with or without parameters Web Server It returns data in the form of an XML document Challenges in Web Services Security Security Requirements Authentication mechanisms Interactions are expanding from intranets to the Internet Authorization to access resources Security requirements must be addressed by the underlying security technology Data integrity and confidentiality Integrity of transactions and communications The interactions are anticipated to be more dynamic and instantaneous The number of participants are exceedingly larger than in other environments End to end integrity and confidentiality of messages Non repudiation Audit Trails Distributed enforcement of security policy Current Security Mechanisms Security at the Transport level SSL Limitations SSL provides point to point security Security at the Transport level SSL secures communication at the transport level rather than message level Security at the XML level HTTPS in its current form does not support nonrepudiation well SSL does not provide element wise signing and encryption XML Security Standards Web Services Security XML level security involves standards that form the modules of XML firewall Hotel Web Services Web Service Client XML Firewall Hotel SOAP Server Private GetBookings GetDiscountRates Public GetRoomsAvail GetRoomRates Secured Intranet XML Signature XML Encryption WS Security eXtensible Access control Markup Language XACML Security Assertion Markup Language SAML XML Key Management Services XKMS SOAP Simple Object Access Protocol Standard proposed by W3C group soap Envelope Designed for use with XML transactions not necessarily SOAP soap Header header definition soap Header soap Body body definition soap Body soap Envelope Used to provide authentication data integrity and support for nonrepudiation to the data Message integrity and user authentication information enclosed within the SOAP message XML firewall receives and checks the message integrity and authentication information Provides flexibility to sign specific portions of the XML document XML Signature Signature SignedInfo SignatureMethod Reference DigestMethod DigestMethod DigestValue DigestValue Reference SignedInfo SignatureValue SignatureValue KeyInfo KeyInfo Signature XML Signature XML Signature Signature main element SignedInfo resources to sign and algorithms SignatureMethod signing algo Reference list of resources DigestMethod digest algorithm DigestValue result of digest SignatureValue sign value KeyInfo Key used to validate signature Steps in creating digital signature Identifying the resources to be signed can be Character encoded data HTML e g http www xyz com index html Binary encoded data like an image file on the web JPG XML file on the web e g http www xyz com xml abc xml Specific element in an XML file on the web e g http www xyz com xml abc xml element1 XML Signature XML Signature Determine the digest for each resource Validating an XML Signature Add the SignedInfo Element Verify the signature of the SignedInfo element use the public verification key to verify that the SignatureValue element is valid Calculate the digest of the signedInfo sign and put signature in the SignatureValue Add the KeyInfo Add the Signature element XML Encryption An Encryption technology optimized for XML data It addresses two requirements End to End Security Selective Encryption XML encryption provides flexibility by encrypting any of the following A Complete XML file Any single element of an XML file Verify the Digest values of the Reference elements Recalculate the digests of the references contained within the SignedInfo element Compare them to the values in the corresponding DigestValue elements XML Encryption cont A simple example of secure exchange of XML data purchaseOrder Order Item book Item Id 123 56 6789 Id Quantity 6 Quantity Order Payment CardId 9876 5432 6874 CardId CardName abc CardName ValidDate 12 04 ValidDate Payment purchaseOrder XML Encryption cont Encrypting a Complete XML File xml version EncryptedData Type CipherData CipherValue A123B456C CipherValue CipherData EncryptedData WS Security Proposed by OASIS group Extension to SOAP specification by W3C Defines the mechanism for including integrity confidentiality and authentication features within a SOAP message Defines how to include digital signatures and encrypted data in a SOAP message Uses XML Signature and XML Encryption specifications XML Encryption cont Encrypting a single element xml version EncryptedData Type Element CipherData CipherValue A123B456 CipherValue CipherData EncryptedData WS Security SOAP Envelope SOAP Header wsse Security wsse BinarySecurityToken wsse BinarySecurityToken Signature Signature wsse Security SOAP Header SOAP Body SOAP Body SOAP ENV Envelope WS Security SOAP Header contains the wsse Security element wsse Security contains all the necessary security information wssse BinarySecurityToken contains an electronic token that is required to shown when entering a restricted area like a binary certificate X509 or kerberos ticket Signature element contains the

Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...

Join to view Web Services Security and access 3M+ class-specific study document.

We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Web Services Security and access 3M+ class-specific study document.


By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?