Security for Web Services and Service Oriented ArchitecturesAcknowledgementObjective and ScopeOutlineService Oriented Architecture (SOA) http://en.wikipedia.org/wiki/Service-oriented_architectureWeb service definitionSOAWeb Services (WS) FrameworkStandardization bodies related to Web ServicesSOA SecurityBasic Components of SOA SecurityWeb Services Security: Requirements and StandardsWS-* security Standards frameworkWS-* security standards implementationsXML EncryptionXML SignatureSecuring SOAP messages Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) Status: Approved OASIS Standard Specification 1 February 2006What is WS-Security?WS-PolicyXACMLXACML – Key AspectsXACML data flow modelXACML ProtocolSlide 24Slide 25XACML policySecurity Assertion Markup Language (SAML)SAML basic conceptsSAML assertionsSAML entitiesSAML and XACMLSAML & Federated IdentitySummary PointsAppendixSecuring the network traffic: SSL/TLS and IPsecWS-Policy: Policy modelWS-Policy exampleSlide 38WS-Security mechanisms and considerationsWS-Security request exampleWS-SecureConversationSecurity policies for Web ServicesXACML Profile for Web-ServicesSAML profilesPolicies and Policy SetsOverview of the Policy ElementStandards for security management: XKMS (XML Key Management Standard)XKMS servicesStandards for security management: WS-TRUSTWS-TrustWS-Trust: trust modelWS-Trust: exampleWS-* Security standards and securityWS-* Security standards and interoperabilityWS-* Security standards and performanceXML Accelerators and FirewallsSecurity for Web Services and Service Oriented ArchitecturesBhavani ThuraisinghamThe University of Texas at DallasNovember 5, 20102AcknowledgementProfessors Elisa Bertino and Lorenzo Martino; Purdue University for much of the information and charts on web services security standards and digital identity management [email protected][email protected]Others:Dr. Frederica Pacci; University of Milan for ideas obtianed when serving on her thesis committee on reserach in web services securityProf. I-Ling Yen and Wei-She; University of Texas at Dallas for collaboration on web services security and the delegation modelBook by Thomas Erl on Service Oriented Architectures, Prentice Hall, 20053Objective and ScopeThe objective of this course is to provide an overview of the significant developments in SOA and Web Services Security Standards as well as directions for future developmentsCurrent work on SOA security is focusing mainly on access control as well as confidentiality and integrity.Solutions proposed for systems to address intrusion detection, denial of service and infrastructure attacks, insider threat analysis including data mining techniques for security applications are beyond the scope of this course.4OutlineSOA and Web services: OverviewSOA and Web services security: OverviewWS-Security and WS-* Security5Service Oriented Architecture (SOA) http://en.wikipedia.org/wiki/Service-oriented_architectureService Oriented Architecture (SOA) is an architectural style that guides all aspects of creating and using business processes, packaged as services, throughout their lifecycle, as well as defining and provisioning the IT infrastructure that allows different applications to exchange data and participate in business processes loosely coupled from the operating systems and programming languages underlying those applicationsSOA represents a model in which functionality is decomposed into distinct units (services), which can be distributed over a network and can be combined together and reused to create business applicationsThese services communicate with each other by passing data from one service to another, or by coordinating an activity between two or more services. SOA concepts makes software development flexible and extensibleService oriented analysis is becoming key to modeling and analyzing softwareThe concepts of Service Oriented Architecture are often seen as built upon, and the evolution of, the older concepts of distributed computing and modular programmingWhile object-orientation views the world as a collection of objects, service orientation views the world as a collection of servicesSOA is technology independent; however it is commonly realized using web services6Web service definition“A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.”Source: http://www.w3.org/TR/ws-arch/7SOAService requestorService providersUDDIPublish ServicesQueryRequestAnswerResponse8Web Services (WS) FrameworkAn abstract (vendor neutral) existence defined by standards organizations and implemented by (proprietary) technology platformsCore building blocks that include web sercices, service descriptions and messagesA communication agreement centered around service descriptions and WSDLA messaging framework comprised of SOAP technology conceptsA service description registration and discovery architecture sometimes realized through UDDIA well defined architecture that supports messaging patterns and compositionsA second generation of web services extensions (also known as WS-* specifications) continually broadening its underlying feature-setConcepts in WS-* include: Message Exchange Patterns (MEP), Service Activity, Coordination, Atomic Transaction, Business Activities, Orchestration (WS-BPEL), Choreography (WS-CDL)Reference: Service Oriented Architecture, Thomas Erl, Prentice Hall, 20059Standardization bodies related to Web Services10SOA SecurityOur approach is to implement SOA through web services; therefore SOA security essentially is about web services securityThree core specificationsWS-Security, XML-Signature, XML-EncryptionWS*-Security is the second generation of technologies for SOA securitySingle sign-on (SSO) is a form of centralized security mechanism that complements the WS-Security extensionsRelated specifications for SOA securityWS-Security, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Federation, XACML, Extensibe Rights Markup Language, XML Key Management, XML, Signature, SAML, .NET
View Full Document