95-702 Distributed Systems Master of Information System Management 95-702 Distributed Systems Lecture 15 Securing Web Services95-702 Distributed Systems Master of Information System Management XML Web Services Hot topic Foundation of Service Oriented Architectures Interoperable Remote Method Invocation Messaging Supported by all the big players Notes adpated from the required reading “Web Services Security”, Bilal Siddiqui95-702 Distributed Systems Master of Information System Management Existing XML Web Services Google EBay Amazon XIgnite (financial computations) Many others in the cloud! See www.xmethods.com But remember, many are not public. An SOA would have many in house web services.95-702 Distributed Systems Master of Information System Management XML Web Services & Cryptography Bob and Alice want to exchange SOAP messages. Eve and Mallory need to be taken seriously.95-702 Distributed Systems Master of Information System Management What’s going on? Web Services Security (WSS) specification from OASIS. Adds message confidentiality to SOAP. Adds message Identification, authentication, authorization, and non-repudiation to SOAP. Why not simply use SSL? SSL is cool but point to point. An end-to-end approach carries the encrypted data and signatures and permits persistence. SSL may be used along with WSS.95-702 Distributed Systems Master of Information System Management The WS Cryptography Stack XML Web Services Security SAML (Security Assertion ML),XKMS (XML Key Management Specification), XACML (eXtensible Access Control Markup Language) XMLDSIG (W3C) XMLENC (W3C) .NET Crypto API’s Java Security API’s95-702 Distributed Systems Master of Information System Management Interoperable Web Services We need application integration within the enterprise. We need application integration across enterprise boundaries: customers partners suppliers A Service Oriented Architecture may be built on a web service foundation, using services within the enterprise and in the cloud.95-702 Distributed Systems Master of Information System Management A Tourism Supply Chain Tourists Tour Operator Car Rental Hotel Hotel Car Rental Hotel RoomRentInfoForAll() RoomRentInfoForPartnersOnly() Anyone may call Restricted callers95-702 Distributed Systems Master of Information System Management Service Oriented Architecture Hotel RoomRentInfoForAll() RoomRentInfoForPartnersOnly() SOAP Server SOAP over HTTP95-702 Distributed Systems Master of Information System Management Listing 1 SOAP Request POST /Vendors HTTP/1.1 Host: www.myHotel.com Content-Type: text/xml;Charset=utf-8 Content-Length: 350 SOAPACtion:"" <?xml version='1.0'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-Env:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s='http://www.MyHotel.com/partnerservice/' > <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-Env:Body> </SOAP-Env:Envelope>95-702 Distributed Systems Master of Information System Management Listing 2 SOAP Response HTTP/1.0 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 1474 <?xml version="1.0"> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-ENV:Body> <m:GetSpecialDiscountedBookingForPartnersResponse xmlns:m="http://www.MyHotel.com/partnerservice/" > <!-- Booking confirmation details--> </m:GetSpecialDiscountedBookingForPartnersResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>95-702 Distributed Systems Master of Information System Management 1st Generation Web Services SOAP Client SOAP Server Hotel Class RDBMS95-702 Distributed Systems Master of Information System Management 2ND Generation Web Services SOAP Server Hotel Class RDBMS SOAP Client SOAP Server Tour Planning Class95-702 Distributed Systems Master of Information System Management 3RD Generation Web Services SOAP Server Hotel Class RDBMS SOAP Client SOAP Server Tour Planning Class SOAP Server Plane Class RDBMS SOAP Server Tour Planning Class WS-Transaction95-702 Distributed Systems Master of Information System Management WS Security SOAP Client SOAP Server Hotel Class RDBMS SOAP Server (SOAP Aware Firewall) • inspect SOAP message • match user roles with access lists • XML Signature • XML Encryption • WSS (SOAP specific use of XMLEnc and XMLDsig) • Security Access Markup Language (SAML) for single sign on replacing HTTP cookies • XACML (extensible Access Control Markup Language) to express authorization and access policies95-702 Distributed Systems Master of Information System Management XML Signature An IETF/W3C Recommendation95-702 Distributed Systems Master of Information System Management XML Digital Signatures Quick Review Message Digest message + digest algorithm -> hash value transmit (message,hash value) pair useful for checking if errors occurred Problem Mallory might replace the message, hash value pair with her own message, hash value pair.95-702 Distributed Systems Master of Information System Management XML Digital Signatures • Solution (1): get a symmetric key involved in the calculation of the hash. • Solution (2): Given a message m, compute a hash of m and encrypt the hash with an asymmetric private key. • Mallory doesn’t know the keys. So, she can’t forge the signature. • But how do we do this in XML?95-702 Distributed Systems Master of Information System Management XML Signature • XML Signatures are digital signatures used in XML transactions • May be used to sign only a portion of an XML document. The document might have a long history with different parts holding different signatures • The signature may apply to XML or non-XML data95-702 Distributed Systems Master of Information System Management Referencing What is Signed • The XML Signature may hold a URI. • This allows to point to a signed entity that may reside elsewhere. • Or, the signed content may be available in the XML document holding the signature.95-702 Distributed Systems Master of Information System Management XMLDsig General Form The Components of an XML Signature95-702 Distributed Systems Master of Information System Management The <Reference> Element • Each signed
View Full Document