Secure Web Services with Apache Rampart/C Why to secure web services? The world is not nice, as it seems !!! 2 Threats Common to distributed systems Specific to web services 3 Common threats Message replays Identity spoofing DOS attacks Message alteration/Integrity Confidentiality issues 4 Threats on web services Public disclosure UDDI, WSDL SOAP bound to HTTP/SMTP can easily pass through firewalls Unpredictable order of service invocation Less human scrutiny Limitations of SOAP Origin verification Integrity, confidentiality 5 That's why... WS-Security* 6 Transport Level Vs Message Level Security 7 Why Message Level Security? Multiple intermediaries Operations to messages Observation Security even after the safe delivery Non-repudiation Secure specific parts of the message ? 8 Rampart/C Features Timestamps Username Token Profile X509 Token Profile SOAP message encryption SOAP message signature WS-Security Policy Support Replay detection 9 Overview 10 Detailed Architecture 11 OMXMLSecurity 12 Apache Axis2/C deployment Client axis2.xml [Engage] policy.xml [Policy] Service services.xml [Engage + Policy] axis2.xml [Engage : optional] 13 Apache Axis2/C deployment 14 An Encrypted Message 15 Rampart/C usages WSF/C WSF/PHP WSF/Ruby 16 Security in WSF/PHP 17 Secured WSF/PHP Client 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSClient object 5.Request 18 PHP Client example $rec_cert = ws_get_cert_from_file('../keys/bob_cert.cert'); $pvt_key = ws_get_key_from_file('../keys/alice_key.pem'); $reqMessage = new WSMessage($reqPayloadString, array("to"=>"http://localhost/samples/security/encryption/encrypt_service.php", "action" => "http://php.axis2.org/samples/echoString")); $sec_array = array("encrypt"=>TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" => $rec_cert)); $client = new WSClient(array("useWSA" => TRUE, "policy" => $policy, "securityToken" => $sec_token)); $resMessage = $client->request($reqMessage); 19 Secured WSF/PHP Service 1.Create an array of security properties 2.Creating a policy object populated with the above security property array 3.Creating a WSSecutiyToken object 4.Creating a WSService object 5.Reply 20 PHP Service example $pub_key = ws_get_cert_from_file("/your/path/to/cert.cert"); $pvt_key = ws_get_key_from_file("/your/path/to/key.pem"); $operations = array("echoString" => "echoFunction"); $sec_array = array("encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "IssuerSerial"); $actions = array("http://php.axis2.org/samples/echoString" => "echoString"); $policy = new WSPolicy(array("security"=>$sec_array)); $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key, "receiverCertificate" =>$pub_key)); $svr = new WSService(array("actions" => $actions, "operations" => $operations, "policy" => $policy, "securityToken" => $sec_token)); $svr->reply(); 21 Would Rampart/C be enough? NO...!!! There are threats that cannot be addressed by WS-Security* alone e.g. XML bombs, SQL injection Design your services carefully and use Rampart/C 22 What's ahead? WS-Secure Conversation WS-Trust WS-Federation 23 Questions? 24 More readings... http://wso2.org/library/2814 http://wso2.org/library/2917 http://wso2.org/library/2702 25
© Copyright 2024 Paperzz