Circular Suseso 2345 10-01-2007 Ley 16744 - Intrucciones Ley 20123
CPE4004-01-2007-10 -WebServicesCriticalView
-
Upload
uday-kumar -
Category
Documents
-
view
218 -
download
0
Transcript of CPE4004-01-2007-10 -WebServicesCriticalView
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
1/33
4/12/2006Lecture 9- Web Services, SOAP,
security 1
CPE4004 Lecture 9Web Services, SOAP, Security
What we have now? Web site web appsSOAP
JAX-WS
XML-Object mappingSecurity
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
2/33
4/12/2006Lecture 9- Web Services, SOAP,
security 2
Web application vs Web site
Web site Static content No business logic Mostly dealing with
presentation issues
Web application: modelling
focus is on capturing businessdynamics Implements business logic Changes the state of the
business objects Needs clear separation of
endpoint implementation frompresentation Dynamic content is delivered
Methodology to develop webapps: Relationship Management
Methodology is often used Aims at reducing development
and maintenance cost of suchsites with intensive DB driven
processing over the Internet Always think about security
Web service is not a webapplication or web site It uses web components to
manipulate views on data Security is important Carefully design
Service interface Interaction - conversation Endpoint
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
3/33
4/12/2006Lecture 9- Web Services, SOAP,
security 3
UML provides stereotypes
Client side of a web page With some JavaScript or scriplets HTML formatted document This is a class with additional dynamic behaviour Use stereoptype to model client page
Boundary class rendered by a browser
HTML form Class stereotyped as a
Collection of input fields that are part of a client page
Relationships: link, build (page), redirect, forward, etc. Server side of a web page
The behaviour of server side page is different than the client side page It is a class too
It is created by some server programs servlets Dynamic content
Use stereoptype to model it -
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
4/33
4/12/2006Lecture 9- Web Services, SOAP,
security 4
Web Service revisited
Web Service is its Contract. In this contract we define:
the name, and otherproperties of the service,
the operationsit supports,and
the messagesaccepted andsent by the operations.
Together with the Bindingof the service, this makes an Endpoint,
i.e. something we can pointa client at.
For SOAP services, thecontract is defined in aWSDL definition: It refers to a XSD schema
that defines the messagesof the operations.
The most common way tocreate a WSDL document isto generate it by the SOAPstack. This is called contract-last
development
you start with the WSDLand schema, and createserver-side stubs afterwards contract-firstdevelopment
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
5/33
4/12/2006Lecture 9- Web Services, SOAP,
security 5
Web Service characteristics
Components and platforms Based on XML documents passed between the client and
server Mapped to programs (java classes), objects or databases XML document is passed to the other application as a
message Format of this message is defined by some standard Message must be validated against some business rules (e.g. in
xsd)
Web service is exposed as an interface and provides Gateway to the back-end application which is running some DB
Different platforms for implementation Different mechanism and vendors
JAXB, JAXP, JAX-WS, AXIS instant WS etc.
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
6/33
4/12/2006Lecture 9- Web Services, SOAP,
security 6
Java SOAP stack
JAX-RPC and SOAP A valid SOAP Message is a well-formed XML document It defines a set of rules to be used for simple one-way messaging but
is particularly useful for Remote Procedure Call) request-responsedialogues.
it is not tied to any particular operating system or the clients andservers or any language as long as they can formulate and understandSOAP
It is an important building block for developing distributed applicationsthat uses web services over an intranet or the internet.
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
7/33
4/12/2006Lecture 9- Web Services, SOAP,
security 7
SOAP in Action
The SOAP developer's approach tosuch a problem is to encapsulateservice in a method in C or VB orJava etc, then set up a process thatlistens for requests to the service; such requests are in SOAP format contain the request for service and
parameters. TempPhoneNo can be repeated
we do not know how many of themare stored
What about just to call storedprocedure on a DB? Complex data cannot be used as
parameters or returns from storedprocedures
We cannot use JDBC since we donot know how many TempPhoneNorecords exist.
//WS call:
String[] getEmployeeDetails ( int
employeeNum);
//Return message contains:
EmployeeDetails {String empName;
String phoneNO;
String TempPhoneNO;}
//where there can be many of these
TempPhoneNo {
int startDate;
int endDate;
String phoneNO;
}
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
8/33
4/12/2006Lecture 9- Web Services, SOAP,
security 8
SOAPservlet
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
9/33
4/12/2006Lecture 9- Web Services, SOAP,
security 9
Request
1016577
SOAP message syntax: valid SOAP Message is well-formed XML documentComposed of the following elements:
XML declarationSOAP Envelope
SOAP HeaderSOAP Body
Service name
Method tag
Parameter tag
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
10/33
4/12/2006 Lecture 9- Web Services, SOAP,security
10
Response
My name
+1-212-7370194
Array structure
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
11/33
4/12/2006 Lecture 9- Web Services, SOAP,security
11
//nested alternate temp phone numbers are added in this message:
//-----------------------------------------------------------------------------
Bill XXXXXX
+1-212-7370194
37060
37064
+1-515-2887505
37074
37078
+1-516-2890033
3708837092
+1-212-7376609
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
12/33
4/12/2006 Lecture 9- Web Services, SOAP,security 12
Validation and namespaces
Validation: Message is received in
the serialized form
There is no validationperformed: How many times theTemporaryPhoneNumb
er has been encoded.
Extra code has to bewritten to validate the
number of repetitions The validation will
consume time andmemory security hole
Namespaces Each node in XML message can
be attached to the namespace
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
13/33
4/12/2006 Lecture 9- Web Services, SOAP,security 13
Binding XML elements to javaclasses
Java inheritance We can change some
existing semantics withinheritance and the
subclass would allow to Add methods
Add attributes
Java derives new typesby extending thecapabilities of parentclasses
In xsd schema:
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
14/33
4/12/2006 Lecture 9- Web Services, SOAP,security 14
Mapping XML names to Javaidentifiers
Not all XML names canbe used as Javaidentifiers:
XML names can use even
., or String
This is not allowed inJava
We need to perform non-
trivial mapping toaccommodate thegreater range of XMLnames
Package names areoften derived from thenamespace URL
The problem:
With each new version ofJava these mappingsmust be revisited
Possible changes made
to the validation andidentifiers mappings
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
15/33
4/12/2006 Lecture 9- Web Services, SOAP,security 15
Restrictions on values -example
There is no simple mapping into Java classes
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
16/33
4/12/2006 Lecture 9- Web Services, SOAP,security 16
Enumerations
1) The value should not be a reserved word - null2) Java 5 generates a set of identifiers, one for each value in
enumeration set showing the position in the set. Therefore, thevalue identifiers are lost. The code has to be written to detectany changes in position and value identifiers
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
17/33
4/12/2006 Lecture 9- Web Services, SOAP,security 17
Unportable types
Some java types are unportable java.util.Hashtable
Some type may have different meaning
in other languages: java.util.Calender
Could be interpreted in .NET as date/time
Should be sent as xsd:dateTime What happens if client and server are in
different time zone?
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
18/33
4/12/2006 Lecture 9- Web Services, SOAP,security 18
Serializing objects
XML is hierarchical datastructure Typically trees or lists
Java classes may form
cyclic graph ofreferences
Mapping into XMLrequires the cycle to be
recognized and treatedaccordingly by themapper
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
19/33
4/12/2006 Lecture 9- Web Services, SOAP,security 19
Fault processing
The Web Service protocols implies that the application is making calls across
network boundaries. As such, you must be prepared to handle any network-related errors that occur. As the Web Service interface is based on a Java remote interface,
any client code must catch and handle java.rmi.RemoteException. ARemoteException will be generated in response to any unhandled runtime exceptions that
occur. Such exceptions are mapped to SOAP fault elements that are included in the body of theresponse from the server.
Domain exception refer to for example, InvalidProductCodeException Should appear on your Web Service remote interfaces. These exceptions are defined in the service WSDL as fault elements. Such fault elements are marshaled back to the client in the SOAP message that forms
the response from the server. For a Java client, the exception will be regenerated in its original form and rethrown. A Java exception is a complex type, so the JAX-RPC runtime must be able to marshal
and unmarshal at least some of its contents (such as its message). Therefore,exceptions must conform to certain rules to be successfully passed. These rules aresimilar to those for JavaBeans and are defined in section 5 of the JAX-RPCspecification (JSR101).
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
20/33
4/12/2006 Lecture 9- Web Services, SOAP,security 20
Fault processing
soap:MustUnderstand
Mandatory Header error
http://www.wrox.com/heroes/endpoint.asp
endpoint.asp
203
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
21/33
4/12/2006 Lecture 9- Web Services, SOAP,security 21
SOAP Fault message structure
faultcode element VersionMismatch this value
indicates that the namespace of theSOAP Envelope element was nothttp://schemas.xmlsoap.org/soap/envelope/.
MustUnderstand this value isreturned in a faultcode element
when the endpoint encounters amandatory Header element entrythat it does not recognize.
Client this value should be usedin the faultcode element when aproblem is found in the messagethat was received.
Server in contrast to the Clientfault code, Server indicates that aproblem occurred during processingthat was not directly related to thecontent of the message.
An example of this type of faultwould be that the database used bythe endpoint to return information is
down.
faultstring element contains a string value that briefly
describes the fault that occurred in a waythat would make sense if it were displayedto the user in an error dialog. That is notto suggest that it could not be technical innature.
faultactor element where the error occurred
This is especially true in systems thatinvolve SOAP intermediaries. If a messagemust pass through a dozen endpointsbefore it can reach its final destination forpayload processing, the developer needsto know at what point on the messagerouting chain an error occurred.
The faultactor element is a placeholder forthat type of information. The faultactor
element contains a URI that identifies theendpoint where the fault originated.
detail element additional information relevant to the fault
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
22/33
4/12/2006 Lecture 9- Web Services, SOAP,security 22
Fault processing JAX-RPC.
In the SOAP Web services a fault flows from the server to the client in the form of SOAP fault. A SOAP fault consists of
faultcode,
faultstring, and
optional fault actor and detail.
The JAX-RPC specification defines various rules about how to map from a Javaexception to a SOAP fault (server side) and from the SOAP fault back to theJava exception (client side). There are four types of exceptions that can be thrown from the server:
java.rmi.RemoteException
java.lang.RuntimeException
javax.xml.rpc.soap.SOAPFaultException (a special, subclass of RuntimeException)
a checked, user-defined exception (mapped from the WSDL's wsdl:fault construct)
Client side: java.rmi.RemoteException
javax.xml.rpc.soap.SOAPFaultException
a checked, user-defined exception
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
23/33
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
24/33
4/12/2006Lecture 9- Web Services, SOAP,
security 24
SOAPFaultException
SpecialRuntimeException
:javax.xml.rpc.soap.SOAPFaultException. SOAPFaultException is more descriptive than aRuntimeException and dictates the exact SOAPfault message which flows to the client. It means that whoever throws this fault, whether the
runtime or the application, controls the SOAP fault response. Therefore, how to map the SOAP fault to an appropriate
exception really depends on the content ofSOAPFaultException, it may be mapped toSOAPFaultException, RemoteException or even achecked user exception.
SOAPFaultException is often used by JAX-RPC handlers. AJAX-RPC application itself normally should avoid throwing theSOAPFaultException.
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
25/33
4/12/2006Lecture 9- Web Services, SOAP,
security 25
RuntimeException
When a problem occurs in a server-side JAX-RPCruntime which results in a RuntimeException (for example, NullPointerException),
that exception will propagate back to the client, but it will do so as a SOAP fault.
The client runtime will map SOAP fault to either RemoteException or
SOAPFaultException.
Therefore, a service endpoint should not throw a
RuntimeException expecting the client to always catchthat RuntimeException because the client may receive aRemoteException instead.
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
26/33
4/12/2006Lecture 9- Web Services, SOAP,
security 26
WSDL Fault message
this message is referenced by wsdl:fault only a single message part is allowed
it could refer to a simple type or a complex type.
If the part element has a type attribute, we could tell
simple (for example, xsd:int, xsd:string, etc.) or
complex.
If the part element has an element attribute, then youhave to step to the element to see whether the type is
simple or complex. This type of mapping is more complex should be handled
during the analysis
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
27/33
4/12/2006Lecture 9- Web Services, SOAP,
security 27
Transfer of large files andportability
The problems withlarge files Multithreading can keep
GUI responsive However, progress bar
would be difficult to codein multithreadedenvironment
Portability It is known after thedeployment
No warnings are issuedprior deployment - eg.IDL compile errors (thereis no IDL)
The classes often arechanged, the changesmay not be reflected inWSDL Then the service may
perform differentfunctions than the clientexpects
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
28/33
4/12/2006Lecture 9- Web Services, SOAP,
security 28
Security problems
WS are said to behackers paradise
Characteristics ofthreats:
Actor
Source of attack
Input
XML documents Output
Componentattacked
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
29/33
4/12/2006Lecture 9- Web Services, SOAP,
security 29
XML/SOAP manipulation
Coercive parsing Refers to a number of xsd schemas, They often point to some
repositories XML messages can be made too
difficult to parse, parsing consumestoo much of memory and timeDos
Malicious mobile code can beinserted
Blind XPath injection attack Allows to query an XML document string(//user[name/text()=
jjj andpaasword/text()=hhh]/acco
unt/text()) If(account=={not found}
Else{{all fine}
Inject user name as 1=1 or =
You get the first accountnumber
Jumbo payloads
DoS Recursive elements in the XML doc also Entity expansion attacks
Recursive entity declarations in XML docheader and the rest of the documentsrefers to them
DoS
Long element names DoS
XML flood many messages per/sec Entities are referring to the file
system Reference is expanded during processing
open door to access repositories
Parameter tempering Instructions on how to use parameters are
in WSDL Attacker can try to use special characters
to extract information Attacker can embed command line that
creates a command shell and executes
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
30/33
4/12/2006Lecture 9- Web Services, SOAP,
security 30
XML/SOAP manipulation cont.
Schema poisoning xsd schema provides the
information of how to process theXML docs
Schema can be compromised oreven replaced in its location
The location can be read from theSOAP message
WSDL scanning It allows the attacker to guess other
unexposed methods Exposed method: getQuote() Hidden method: tradeStock()
Dictionary attacks Guessing a password, user name
Replay attack Repetitive SOAP message requests
are used to overload the service From TCP/IP header you can read
IP addresses They are not detected since they
come from the valid IP and are wellformed
SQL injections SQL contains native separators or
pipes: ; is one, then you can attach
commands to execute repetitivelynative stored procedures or otherSQL commands
Message snooping Use SOAP routing header to access
internal Web services See next page
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
31/33
4/12/2006Lecture 9- Web Services, SOAP,
security 31
SOAP routing header
Routing is a process of delivering messages through a series ofnodes or intermediaries. Each intermediary not only provides a message delivery channel,
but may also provide value-added services such as logging,auditing and validations.
Routing is an essential part of distributed computing, and will play
an important rule in multi-party message exchanges. WS_Routing is a protocol that defines how SOAP messages
can be delivered using various transports. Routing information is carried from one intermediary to another
inside the SOAP header element. WS_Routing , thus, can beunderstood as an extension to SOAP.
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
32/33
4/12/2006Lecture 9- Web Services, SOAP,
security 32
http://services.xmethods.net:80/soap/servlet/rpcrouter
3cf74010-e395-11d5-a2d9-00a0246e4ce3
http://www.whitemesa.net/interop/std/multihop
http://www.4s4c.com/services/log.ashx
http://soapclient.com/SoapRouter
SOAP Header example
-
8/14/2019 CPE4004-01-2007-10 -WebServicesCriticalView
33/33
4/12/2006Lecture 9- Web Services, SOAP,
security 33
What can we do aboutsecurity of WS?
Caller authentication
XML signature recommendation fromW3C
XML Encryption Applying new standards
SAML Security Assertion MarkupLanguage
Best practices in coding and lowlevel security: SSL and VPN Implement XML filtering
Rules for message size, content, variables
Mask internal resources Network Address Translation (NAT) Use XML proxy to rewrite URL Check frequency of connections for
consumers
Validate all messages Well-formed and use validating parser-
Sign all messages Timestamp all messages Use encryption for message fields
XML attacks:
Watch for integrated xlink and otherpointers to URLs in the application
Session theft Session ID is generated and listening to
unencrypted conversation could hijack asession
DoS attacks Authenticate long requests
Use watchdog thread to track longexecution times
Disguise the type of service (e.g Axis)
Do not show wsdl file use e-mail to send it to the consumer
With servlets Use filters to filter long files,
validate IP, Check caller credentials