SOA Tag Geuer Pollmann WS Security

8/13/2019 SOA Tag Geuer Pollmann WS Security

1/14

SOA-Tag Koblenz 28. September2007

Dr.-Ing. Christian Geuer-PollmannEuropean Microsoft Innovation Center

Aachen, Germany


2/14

WS-FooBar Buchstabensuppe

WS-Addressing

WS-Addressing

SOAP

MTOM

WS-Enumeration

WS-Eventing

WS-Trust

WS-BusinessActivity

WSDL

WS-Policy

XML

Namespaces

InfoSet

WS-Management

BPEL4WS

WS-I

XPath

WS-*

SecPAL


3/14


4/14

XML Core XML eXtensible Markup Language Namespaces Binding elements and attributes

to a URI

DOM Document Object Model XPath Addressing parts of an XML document XML Information Set (Info Set) XML Data

model XML Schema Describes schemas for XML

documents


5/14

XML Security XML Signature Signature expressed in XML

Signature can cover both XML and non-XML Canonicalization (c14n) turns XML into octets (for

digest) Exclusive C14n fixes problems in C14n XML Signature introduces transforms

C14n is a transform XPath and XSLT are others

XML Encryption Encrypting XML Encrypting non-XML (but key is XML)


6/14

XML Signature

signaturevaluemessage

authentication code function

digital signaturefunction

private key

secret key

hash value 1

address 1

digest methodalgorithmI D 1

digest methodalgorithmI D 2

address 2

description of transformations 2

hash value 2

digest methodalgorithmI D n

address n

description of transformations n

hash value n

data item1

address of data item1 hash function

data item2

address of data item2 transformations hash function

data itemn

address of data itemn transformations hash function

signature methodalgorithmID


7/14

SOAP Messaging SOAP Simple Object Access

Protocol SOA Service-oriented

Architecture WS-Addressing SOAP headers

for addressing messages andservices

MTOM Message TransmissionOptimization Mechanism(Attachments for SOAP)

XOP XML-binary optimizedpackaging (reduce base64-bloat)

WS-Eventing Pub/submodel

WS-Transfer Accessing

XML representations ofresources (GET, PUT andDELETE for WS-*)

WS-Enumeration

Accessing large collections


8/14

A SOAP message

http://www.contoso.com/Service/Simulate.ashx

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

http://contoso.com/Simulate urn:uuid:c1f3be56 ... Here is the XML for the service


9/14

Metadata WSDL Web Services

Description Language(Endpoints, Methods andParameters)

WS-Policy Just a groupingconstruct (AND and OR) forpolicy assertions

WS-PolicyAttachment BindWS-Policy to WSDL and UDDI

WS-MetadataExchange (MEX) Bootstrap to download

metadata (such as WS-Policyand WSDL)

WS-SecurityPolicy

Communications securityrequirements for a service

WS-PolicyAssertions Language settings etc.

WS-Discovery Multicastdiscovery protocol for LAN


10/14

Reliable messaging & Transactions

WS-ReliableMessaging The TCP of SOAP

In-order delivery No lost messages Recipient

acknowledgements

WS-Coordination Defines message patterns

for multi-partycooperation

WS-AtomicTransaction Builds on WS-Coordination

Defines message patternsfor ACID transactions

WS-BusinessActivity Builds on WS-Coordination Supports long running

activities


11/14

Security Transport level vs.

message security SSL WS-Security Sign and

encrypt SOAP messages

Both header and body How? See WS-SecPol

WS-SecurityPolicy Retrieve what a service

expects WS-SecureConversation

(SSL for SOAP) Negotiate and manage a

session key

WS-Security Tokens X.509 certificates Username / password Kerberos (for Intranet)

SAML (cross-organizationally) SecPAL authorization

WS-Trust A security token service

(STS) issues, validates,renews and cancels securitytokens


12/14

A protected message

http://localhost/STSClient/STSX509.ashx http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue urn:uuid:6a1d3e0c-c665-486b-943c-2c994597ff13

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

2007-09-27T21:11:07Z 2007-09-27T21:16:07Z MIIB2DCCAUWgAwIBAgIBBDAJBgUrD....8= CN=EMIC SAFe CA 2 M5L/7....

HSqkTgHz1DmZQQt/KVxzWVMmpjA=

HGrSh0SUQgp....

qT9APGutRN1fBaXDfla HTpbQMT...


13/14

WS-Federation sample

A c c o u n t S T S

A u t h Z S T S

F e

d e r a t i o n

S T S

S e r v i c e

2

1

3

4

5

6

1. Client fetches

service policy2. Client fetches

FedSTS policy3. Client requests

ID token4. Client requests

Fed token5. Client invokes

service6. (Service may

ask for authzdecision)

Fetch policy using WS-MetadataExchange Request security tokens using WS-Trust Protect messages using WS-Security


14/14

SOA Tag Geuer Pollmann WS Security

Documents

Transcript of SOA Tag Geuer Pollmann WS Security