Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!

Published byMillicent Morrison Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!"— Presentation transcript:

1 Secure Web Services with Apache Rampart/C

2 2 Why to secure web services? The world is not nice, as it seems !!!

3 3 Threats  Common to distributed systems  Specific to web services

4 4 Common threats  Message replays  Identity spoofing  DOS attacks  Message alteration/Integrity  Confidentiality issues

5 5 Threats on web services  Public disclosure UDDI, WSDL  SOAP bound to HTTP/SMTP can easily pass through firewalls  Unpredictable order of service invocation  Less human scrutiny  Limitations of SOAP Origin verification Integrity, confidentiality

6 6 That's why... WS-Security*

7 7 Transport Level Vs Message Level Security

8 8 Why Message Level Security?  Multiple intermediaries Operations to messages Observation  Security even after the safe delivery  Non-repudiation  Secure specific parts of the message ?

9 9 Rampart/C Features  Timestamps  Username Token Profile  X509 Token Profile  SOAP message encryption  SOAP message signature  WS-Security Policy Support  Replay detection

10 10 Overview

11 11 Detailed Architecture

12 12 OMXMLSecurity

13 13 Apache Axis2/C deployment  Client axis2.xml [Engage] policy.xml [Policy]  Service services.xml [Engage + Policy] axis2.xml [Engage : optional]

14 14 Apache Axis2/C deployment

15 15 An Encrypted Message

16 16 Rampart/C usages  WSF/C  WSF/PHP  WSF/Ruby

17 17 Security in WSF/PHP

18 18 Secured WSF/PHP Client 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSClient object 5.Request

19 19 $rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem'); $reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString")); $sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert)); $client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token)); $resMessage = $client->request($reqMessage); PHP Client example

20 20 Secured WSF/PHP Service 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSService object 5.Reply

21 21 PHP Service example $pub_key = ws_get_cert_from_file("/your/path/to/cert.cert"); $pvt_key = ws_get_key_from_file("/your/path/to/key.pem"); $operations = array("echoString" => "echoFunction"); $sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial"); $actions = array("http://php.axis2.org/samples/echoString" => "echoString"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key)); $svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token)); $svr->reply();

22 22 Would Rampart/C be enough?  NO...!!!  There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection  Design your services carefully and use Rampart/C

23 23 What's ahead?  WS-Secure Conversation  WS-Trust  WS-Federation

24 24 Questions?

25 25 More readings...  http://wso2.org/library/2814 http://wso2.org/library/2814  http://wso2.org/library/2917 http://wso2.org/library/2917  http://wso2.org/library/2702

Download ppt "Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!"

Similar presentations

WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.

Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.
Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group

Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
E-Business Risks Chapter Seven. E-Business Models EDI Web pages The online environment Distributed e-business and intranets Supply chain linkage Collaborative.

E-Business Risks Chapter Seven. E-Business Models EDI Web pages The online environment Distributed e-business and intranets Supply chain linkage Collaborative.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
1 SOA Security Dr. Yuhong Yan. 2 Content Security Issues overview Security for SOA Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning,

1 SOA Security Dr. Yuhong Yan. 2 Content Security Issues overview Security for SOA Referece: R. Kanneganti and P. Chodavarapu, “SOA Security”, Manning,
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Web Services Seppo Heikkinen MITA seminar/TUT 5.11.2003.

Web Services Seppo Heikkinen MITA seminar/TUT
Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.

Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
13-Sep-15: 1 Web Services Framework Paper by IBM and Microsoft Andrew Layman, XML Web Services Architect, Microsoft Copyright © 2001 Microsoft Corporation,

13-Sep-15: 1 Web Services Framework Paper by IBM and Microsoft Andrew Layman, XML Web Services Architect, Microsoft Copyright © 2001 Microsoft Corporation,
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
CSC8530 Distributed Systems XML Web Services David Vaglia.

CSC8530 Distributed Systems XML Web Services David Vaglia.
Web Services Week 7 Aims: A detailed look at the underlying mechanisms for communication between web services Objectives: SOAP, WSDL, UDDI.

Web Services Week 7 Aims: A detailed look at the underlying mechanisms for communication between web services Objectives: SOAP, WSDL, UDDI.

Similar presentations

Ads by Google