SOA Tag Geuer Pollmann WS Security
of 14
-
Upload
sai-krishna -
Category
Documents
-
view
220 -
download
0
Embed Size (px)
Transcript of SOA Tag Geuer Pollmann WS Security
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
1/14
SOA-Tag Koblenz 28. September2007
Dr.-Ing. Christian Geuer-PollmannEuropean Microsoft Innovation Center
Aachen, Germany
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
2/14
WS-FooBar Buchstabensuppe
WS-Addressing
WS-Addressing
SOAP
MTOM
WS-Enumeration
WS-Eventing
WS-Trust
WS-BusinessActivity
WSDL
WS-Policy
XML
Namespaces
InfoSet
WS-Management
BPEL4WS
WS-I
XPath
WS-*
SecPAL
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
3/14
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
4/14
XML Core XML eXtensible Markup Language Namespaces Binding elements and attributes
to a URI
DOM Document Object Model XPath Addressing parts of an XML document XML Information Set (Info Set) XML Data
model XML Schema Describes schemas for XML
documents
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
5/14
XML Security XML Signature Signature expressed in XML
Signature can cover both XML and non-XML Canonicalization (c14n) turns XML into octets (for
digest) Exclusive C14n fixes problems in C14n XML Signature introduces transforms
C14n is a transform XPath and XSLT are others
XML Encryption Encrypting XML Encrypting non-XML (but key is XML)
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
6/14
XML Signature
signaturevaluemessage
authentication code function
digital signaturefunction
private key
secret key
hash value 1
address 1
digest methodalgorithmI D 1
digest methodalgorithmI D 2
address 2
description of transformations 2
hash value 2
digest methodalgorithmI D n
address n
description of transformations n
hash value n
data item1
address of data item1 hash function
data item2
address of data item2 transformations hash function
data itemn
address of data itemn transformations hash function
signature methodalgorithmID
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
7/14
SOAP Messaging SOAP Simple Object Access
Protocol SOA Service-oriented
Architecture WS-Addressing SOAP headers
for addressing messages andservices
MTOM Message TransmissionOptimization Mechanism(Attachments for SOAP)
XOP XML-binary optimizedpackaging (reduce base64-bloat)
WS-Eventing Pub/submodel
WS-Transfer Accessing
XML representations ofresources (GET, PUT andDELETE for WS-*)
WS-Enumeration
Accessing large collections
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
8/14
A SOAP message
http://www.contoso.com/Service/Simulate.ashx
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
http://contoso.com/Simulate urn:uuid:c1f3be56 ... Here is the XML for the service
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
9/14
Metadata WSDL Web Services
Description Language(Endpoints, Methods andParameters)
WS-Policy Just a groupingconstruct (AND and OR) forpolicy assertions
WS-PolicyAttachment BindWS-Policy to WSDL and UDDI
WS-MetadataExchange (MEX) Bootstrap to download
metadata (such as WS-Policyand WSDL)
WS-SecurityPolicy
Communications securityrequirements for a service
WS-PolicyAssertions Language settings etc.
WS-Discovery Multicastdiscovery protocol for LAN
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
10/14
Reliable messaging & Transactions
WS-ReliableMessaging The TCP of SOAP
In-order delivery No lost messages Recipient
acknowledgements
WS-Coordination Defines message patterns
for multi-partycooperation
WS-AtomicTransaction Builds on WS-Coordination
Defines message patternsfor ACID transactions
WS-BusinessActivity Builds on WS-Coordination Supports long running
activities
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
11/14
Security Transport level vs.
message security SSL WS-Security Sign and
encrypt SOAP messages
Both header and body How? See WS-SecPol
WS-SecurityPolicy Retrieve what a service
expects WS-SecureConversation
(SSL for SOAP) Negotiate and manage a
session key
WS-Security Tokens X.509 certificates Username / password Kerberos (for Intranet)
SAML (cross-organizationally) SecPAL authorization
WS-Trust A security token service
(STS) issues, validates,renews and cancels securitytokens
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
12/14
A protected message
http://localhost/STSClient/STSX509.ashx http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue urn:uuid:6a1d3e0c-c665-486b-943c-2c994597ff13
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
2007-09-27T21:11:07Z 2007-09-27T21:16:07Z MIIB2DCCAUWgAwIBAgIBBDAJBgUrD....8= CN=EMIC SAFe CA 2 M5L/7....
HSqkTgHz1DmZQQt/KVxzWVMmpjA=
HGrSh0SUQgp....
qT9APGutRN1fBaXDfla HTpbQMT...
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
13/14
WS-Federation sample
A c c o u n t S T S
A u t h Z S T S
F e
d e r a t i o n
S T S
S e r v i c e
2
1
3
4
5
6
1. Client fetches
service policy2. Client fetches
FedSTS policy3. Client requests
ID token4. Client requests
Fed token5. Client invokes
service6. (Service may
ask for authzdecision)
Fetch policy using WS-MetadataExchange Request security tokens using WS-Trust Protect messages using WS-Security
-
8/13/2019 SOA Tag Geuer Pollmann WS Security
14/14
