Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack."— Presentation transcript:

1 WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack

2 Overview of the Problem Web services need to be protected from malicious attacks. This has led web service providers to create security policies that they then implement to protect the service. However, in some instances, details of the security policy may need to be negotiated between the web service provider and the web service requester. In this instance, a protocol for web service negotiation is needed.

3 Example Scenario A defense contractor wishes to access a web service that normally provides only a password level of access control. The defense contractor, however, wishes for a higher level of security (for instance, biometric authentication). How does one go about negotiating the higher levels of security required by the service consumer?

4 Benefits from Policy Negotiation Service providers can reach a larger market by creating services for customers with diverse security needs. Customers can tailor their service consumption to account for their own security needs. By providing only what is required for a transaction, greater efficiency can be achieved.

5 What is a Web Service? Web services are a standardized way of integrating web based applications using XML, SOAP, WSDL, and UDDI over an Internet protocol back-bone (typically, HTTP/S). UDDI is used to describe what services are available, WSDL is used to describe the service, and SOAP is used to transfer data. Services are provided through a programmatic interface across the network.

6 SOAP Exchanges messages over HTTP/S using XML. http://www.w3.org/2001/12/soap- envelope

7 WS-* WS (Web Service) standards for web services. Proposed by members of the W3C (World Wide Web Consortium). Deal with the numerous aspects relating to providing and consuming web services. Examples are WS-Addressing, WS-Security, WS- Reliability, and WS-Policy. Each details a namespace within a SOAP XML document. Currently no proposed protocol for policy negotiation.

8 WS-Policy Specification used by web service providers to advertise their policies and for web service consumers to specify their policy requirements. Example policies specified are security and quality of service. Represents a set of specifications describing the capabilities and constraints of policies on intermediaries and end points and how to associate policies with services and endpoints. Forms the basis of WS-PolicyNegotiate.

9 WS-Policy (cont.): Components Policy Assertions form the basis of WS-Policy. Builds upon the other WS-* proposals (via namespace inclusions). They are requirements put upon the web service. Two major operators are defined: wsp:ExactlyOne – one node (policy) must be satisfied wsp:All – every node must be satisfied (the default)‏

10 WS-Policy (cont.): Basic Structure

11 <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile-1.0#UsernameToken wsp:Body() http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3 wsp:Body()

12 Policy Negotiation Requirements The security policies to be negotiated must be clear and identifiable. The consumer may negotiate any subset of the policies within the policy. The consumer will initiate policy negotiation. Negotiation may be terminated be either party at which point the associated web service may not proceed.

13 Satisfying The Requirements All policies to be negotiated must refer to a policy described within a WS-Policy policy document. All policies within WS-Policy nodes may be negotiated. A failure of any sub-node will result in a failed assertion. Likewise, a successful negotiation of all sub-nodes will lead to a positive assertion for that policy. The consumer will submit a request for negotiation and the provider will respond with a response message. This will continue until the negotiation is successful or fails. The advertisement of policies will follow WS-Attachment and reside within the WSDL.

14 Stages Prior to Web Service Execution

15 Security Policy Negotiation Entities

16 Security Policy Negotiation Steps

17 WS-PolicyNegotiate: Namespaces wspn refers to the WS-PolicyNegotiation namespace wsp refers to the WS-Policy namespace (http://schemas.xmlsoap.org/ws/2002/12/policy)‏http://schemas.xmlsoap.org/ws/2002/12/policy Others would be referred to in the WS-* specification within the applicable WS-Policy named policy.

18 WS-PolicyNegotiate: Overview xs:NCname xsd:AnyType

19 WS-PolicyNegotiate: Basic Elements wspn:PolicyNegotiate id – a unique string identifying this policy negotiation wspn:Name – an optional string containing a human-readable reference to this negotiation wspn:Initiator – any type referring to the initiator of the this part of the policy negotiation wspn:Responder – any type referring to the responder to the initiator of the policy negotiation wspn:Context – a complex type containing the policy negotiation; id is a unique identifier

20 WS-PolicyNegotiate: The Responder and Initiator The initiator always starts as the consumer. The responder always starts as the service provider. Roles change as the messages are exchanged. This allows the consumer and recipient to keep track of the flow and stages of negotiation. The last message will always be from the provider (as initiator) and the consumer (as the responder). After this last stage, the actual service execution can begin.

21 WS-PolicyNegotiate: Context Complex Type xsd:String

22 WS-PolicyNegotiate: Context Elements wspn:ContextName – an optional human-readable identifier ws:Policy wsu:id – a policy document that represents the initiators or responders policy statement. The id refers to either an included policy or to an external one via a fully qualified name. The policies may be nested or sequenced and may refer to any type or number of policies.

23 How Does This Work? The initiator creates a WS-Policy document describing their proposed policy level. A pre- existing WS-Policy document may also be used. The WS-PolicyNegotiate document is created and sent to the the web service provider. The responder reviews the WS-Policy and responds with either their own WS-Policy or a subset of the initiator's WS-Policy document. This continues with each side changing roles until negotiation has completed.

24 How Does This End? This continues until a responder returns a minimal set acceptable to the both sides. What we're looking for is the intersection of the initiator's and responder's policy requests. This is signaled when one side receives a policy in wspn:Context that is the same as that which they just sent. Services can publish their minimal set of policy requirements subject to negotiation in the service WSDL as WS-PolicyAttachment

25 An Illustrative Example (Part 1)‏ The consumer (as initiator) looks up the provider's WSDL and notes a WS-PolicyAttachement declaring that WS-Security Policies can be negotiated. The consumer then sends a WS- PolicyNegotiate with a WS-Policy requesting to use basic authentication or an X.509 certificate.

26 An Illustrative Example (Part 2)‏ The provider (who is now the initiator) responds with a WS-PolicyNegotiate document containing a WS-Policy document stating that X.509 authentication is available and preferred. Included in the policy is an element stating that this is the only authentication available.

27 An Illustrative Example (Part 3)‏ After receiving this WS-PolicyNegotiate, the consumer (again in the role of initiator), having found this to be acceptable, returns the same WS- Policy within a WS-PolicyNegotiate as an acceptance token.

28 An Illustrative Example (Part 4)‏ The final step has the provider as the initiator sending the consumer's WS-Policy within a WS- PolicyAttachement to the consumer. The consumer, having received its message back as a final indicator of acceptance, begins the processes of connecting to the web service under the terms laid out within the accepted WS-Policy.

29 WS-PolicyNegotiate SOAP Message (Simplified)‏ toys.r.us@fun.com http://www.yeehaw.com/ <wsp:Policy wsu:Id = “AuthenticationPolicy” Note: Not Shown is AuthenticationPolicy. It would follow the format shown in the slide on WS-Policy.

30 Problems with this Approach (More Work to be Done)‏ Would it be better to use a sequence number for flow control? Would it be better to use an ack/nack to indicate policy acceptance? Could elements from WS-Agreement be used to solve this same problem or incorporated within this solution?

31 References Lee, George, “Negotiated Security and Privacy Policies for Web Services”, NCRC 04 Lee, George and Larry Korba, “Negotiated Policies for E-Services and Web Services”, ICWS 05 Specifications for all WS-* can be found at http://www.w3c.org http://www.w3c.org

Download ppt "WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack."

Similar presentations

Web Service Architecture

Web Service Architecture
MITA Gateway 5010 Overview May 18th 2009.

MITA Gateway 5010 Overview May 18th 2009.
Service Description: WSDL COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2013-2014.

Service Description: WSDL COMP6017 Topics on Web Services Dr Nicholas Gibbins –
WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302

XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302
Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.

Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.
Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba) www.iit-iti.nrc-cnrc.gc.ca/personnel/yee_george_e.html.

Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba)
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Module 13: WCF Receive Adapters. Overview Lesson 1: Introduction to WCF Receive Adapters Lesson 2: Configuring a WCF Receive Adapter Lesson 3: Using the.

Module 13: WCF Receive Adapters. Overview Lesson 1: Introduction to WCF Receive Adapters Lesson 2: Configuring a WCF Receive Adapter Lesson 3: Using the.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Similar presentations

Ads by Google