Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!

Similar presentations


Presentation on theme: "Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!"— Presentation transcript:

1 Secure Web Services with Apache Rampart/C

2 2 Why to secure web services? The world is not nice, as it seems !!!

3 3 Threats  Common to distributed systems  Specific to web services

4 4 Common threats  Message replays  Identity spoofing  DOS attacks  Message alteration/Integrity  Confidentiality issues

5 5 Threats on web services  Public disclosure UDDI, WSDL  SOAP bound to HTTP/SMTP can easily pass through firewalls  Unpredictable order of service invocation  Less human scrutiny  Limitations of SOAP Origin verification Integrity, confidentiality

6 6 That's why... WS-Security*

7 7 Transport Level Vs Message Level Security

8 8 Why Message Level Security?  Multiple intermediaries Operations to messages Observation  Security even after the safe delivery  Non-repudiation  Secure specific parts of the message ?

9 9 Rampart/C Features  Timestamps  Username Token Profile  X509 Token Profile  SOAP message encryption  SOAP message signature  WS-Security Policy Support  Replay detection

10 10 Overview

11 11 Detailed Architecture

12 12 OMXMLSecurity

13 13 Apache Axis2/C deployment  Client axis2.xml [Engage] policy.xml [Policy]  Service services.xml [Engage + Policy] axis2.xml [Engage : optional]

14 14 Apache Axis2/C deployment

15 15 An Encrypted Message

16 16 Rampart/C usages  WSF/C  WSF/PHP  WSF/Ruby

17 17 Security in WSF/PHP

18 18 Secured WSF/PHP Client 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSClient object 5.Request

19 19 $rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem'); $reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString")); $sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert)); $client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token)); $resMessage = $client->request($reqMessage); PHP Client example

20 20 Secured WSF/PHP Service 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSService object 5.Reply

21 21 PHP Service example $pub_key = ws_get_cert_from_file("/your/path/to/cert.cert"); $pvt_key = ws_get_key_from_file("/your/path/to/key.pem"); $operations = array("echoString" => "echoFunction"); $sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial"); $actions = array("http://php.axis2.org/samples/echoString" => "echoString"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key)); $svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token)); $svr->reply();

22 22 Would Rampart/C be enough?  NO...!!!  There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection  Design your services carefully and use Rampart/C

23 23 What's ahead?  WS-Secure Conversation  WS-Trust  WS-Federation

24 24 Questions?

25 25 More readings...  http://wso2.org/library/2814 http://wso2.org/library/2814  http://wso2.org/library/2917 http://wso2.org/library/2917  http://wso2.org/library/2702


Download ppt "Secure Web Services with Apache Rampart/C. 2 Why to secure web services? The world is not nice, as it seems !!!"

Similar presentations


Ads by Google