Webservice Security

 

WS-Trust[WS-SecurityPolicy 1.2, SAML 2.0, UT, X.509, SAML, Kerberos profile]
CXF provides an implementation
OASIS is the standard extension to WS-Seurity dealing with issuing, renewing, validating etc.,

WS-Trust Architecture:

  • Requestor
  • Relying Party
  • Security Token
  • Claims (ex: privileges)
  • Policy
  • STS (Issue, Validate, Renew, Cancel)

SAML Architecture:

  • Assertions (format of a SAML Token):
    • AuthN data like tokens
    • AuthZ data like roles/privileges
    • Security attributes like issuer identity, name & address of subject
  • Protocols: describes request, response messages for operations such as Issue, Renew etc.,
  • Bindinds: Protocols to Network protocol mappiing
  • Profiles: particular use case of building a security system based on SAML

WS-Trust is independent of SAML but very similar.

Scenarios:

  • Bearer Scenario: Server trusts if signarute is verified by the public key of the STS.
  • Holder-of-the-Key Scenario: In addition to Bearer Scenario the server authenticates the client using X.509 or UserToken credentials.

https://access.redhat.com/site/documentation/en-US/JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/front.html

STS Architecture:

WSDL:

  • Logical (Type definitions & Port types)
  • Physical (policies, binidng)

Operations:

  • Issue
  • Renew
  • Validate
  • Cancel

Policies: Boils down to the following three types of policies

  • Transport Layer Security (TLS):
    • X.509 (during SSL/TSL handshake)
    • UT token in SOAP header
  • Symmetric Binding:
    • Security is in SOAP layer( initiator must use UT token)
  • Asymmetric Binding:
    • Security is in SOAP layer( initiator must use X.509 certificate)

3 levels of policies:

  1. Binding Policy -> applies to all operations.
  2. Input Policy -> applies to the request.
  3. Output Policy -> applies to the response.

Example Binding Policy: Symmetric Key Binding & Clients must include UT credentials to authenticate themselves to STS.
<wsp:Policy wsu:Id=”####”>
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:SymmetricBinding
xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″&gt;
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
.
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
.
</sp:AlgorithmSuite>
.
.
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens
xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″&gt;
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient”&gt;
.
.
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11
xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″&gt;
<wsp:Policy>
.
.
</wsp:Policy>
</sp:Wss11>
<sp:Trust13
xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″&gt;
<wsp:Policy>
.
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

The TokenIssueOp is customizable with staticSTSProperties, pluggable providers(CXF provides SAML & SCT providers)  & a new service.

STSProperties specifies the following:

  • Issuer: Uniquely identifies the STS (used in validating & reognizing issued tokens)
  • Callback Handler: (implement javax.security.auth.callback.CallbackHandler ) to provide passwords
  • Signature Key: Key to sign SAML tokens
  • Encryption Key: Key to Encrypt tokens
  • Realm Settings: ???

https://access.redhat.com/site/documentation/en-US/JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/STS-Arch.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s