Secure Web Services with
Apache Rampart/C
Why to secure web services?
The world is not nice, as it seems !!!
2
Threats
Common to distributed systems
 Specific to web services

3
Common threats
Message replays
 Identity spoofing
 DOS attacks
 Message alteration/Integrity
 Confidentiality issues

4
Threats on web services
Public disclosure UDDI, WSDL
 SOAP bound to HTTP/SMTP can easily pass
through firewalls
 Unpredictable order of service invocation
 Less human scrutiny
 Limitations of SOAP



Origin verification
Integrity, confidentiality
5
That's why...
WS-Security*
6
Transport Level Vs Message Level
Security
7
Why Message Level Security?

Multiple intermediaries


Operations to messages
Observation
Security even after the safe delivery
 Non-repudiation
 Secure specific parts of the message

?
8
Rampart/C Features
Timestamps
 Username Token Profile
 X509 Token Profile
 SOAP message encryption
 SOAP message signature
 WS-Security Policy Support
 Replay detection

9
Overview
10
Detailed Architecture
11
OMXMLSecurity
12
Apache Axis2/C deployment

Client



axis2.xml [Engage]
policy.xml [Policy]
Service


services.xml [Engage + Policy]
axis2.xml [Engage : optional]
13
Apache Axis2/C deployment
14
An Encrypted Message
15
Rampart/C usages
WSF/C
 WSF/PHP
 WSF/Ruby

16
Security in WSF/PHP
17
Secured WSF/PHP Client
1.Create an array of security properties
2.Creating a policy object populated with the
above security property array
3.Creating a WSSecutiyToken object
4.Creating a WSClient object
5.Request
18
PHP Client example
$rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert');
$pvt_key = ws_get_key_from_file('../keys/alice_key.pem');
$reqMessage = new WSMessage($reqPayloadString,
array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php",
"action" => "http://php.axis2.org/samples/echoString"));
$sec_array = array("encrypt"=>TRUE,
"algorithmSuite" => "Basic256Rsa15",
"securityTokenReference" => "EmbeddedToken");
$policy = new WSPolicy(array("security"=>$sec_array));
$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key,
"receiverCertificate" => $rec_cert));
$client = new WSClient(array("useWSA" => TRUE,
"policy" => $policy,
"securityToken" => $sec_token));
$resMessage = $client->request($reqMessage);
19
Secured WSF/PHP Service
1.Create an array of security properties
2.Creating a policy object populated with the
above security property array
3.Creating a WSSecutiyToken object
4.Creating a WSService object
5.Reply
20
PHP Service example
$pub_key = ws_get_cert_from_file("/your/path/to/cert.cert");
$pvt_key = ws_get_key_from_file("/your/path/to/key.pem");
$operations = array("echoString" => "echoFunction");
$sec_array = array("encrypt" => TRUE,
"algorithmSuite" => "Basic256Rsa15",
"securityTokenReference" => "IssuerSerial");
$actions = array("http://php.axis2.org/samples/echoString" => "echoString");
$policy = new WSPolicy(array("security"=>$sec_array));
$sec_token = new WSSecurityToken(array("privateKey" => $pvt_key,
"receiverCertificate" =>$pub_key));
$svr = new WSService(array("actions" => $actions,
"operations" => $operations,
"policy" => $policy,
"securityToken" => $sec_token));
$svr->reply();
21
Would Rampart/C be enough?

NO...!!!

There are threats that cannot be addressed
by WS-Security* alone


e.g. XML bombs, SQL injection
Design your services carefully and use
Rampart/C
22
What's ahead?
WS-Secure Conversation
 WS-Trust
 WS-Federation

23
Questions?
24
More readings...
http://wso2.org/library/2814
 http://wso2.org/library/2917
 http://wso2.org/library/2702

25