1、1,Web Data and Application Security 3.CSCE 813,2,Thanks for lecture slides,The following slides are composed from publicly available data and slides listed in the references. The authors of those references retain all copyrights and intellectual property rights. Here they are used for educational pu
2、rposes only.,3,References,Web Services Choreography Working Group , http:/www.w3.org/2002/ws/chor/ Web Services Federation Language (WS-Federation), http:/ / A Case Study of the WS-Security Framework, http:/www.cs.ucsb.edu/gayatri/Presentations/WS%20Case%20Study.ppt Web Services Choreography and Pro
3、cess Algebra, http:/www.daml.org/services/swsl/materials/WS-CDL.ppt WS Choreography Overview, http:/xml.coverpages.org/BurdettWSChoreographyOverview200306.ppt BPEL Overview, http:/ J. Yang, D. Wijesekera, S. Jajodia, Subject switching algorithms for access control in federated databases, http:/porta
4、l.acm.org/citation.cfm?id=863748&dl=acm&coll=&CFID=15151515&CFTOKEN=6184618,4,More Reading,WS-Security “Web Services Security Language“, IBM, Microsoft, VeriSign, April 2002. “WS-Security Addendum“, IBM, Microsoft, VeriSign, August 2002. “WS-Security XML Tokens“, IBM, Microsoft, VeriSign, August 200
5、2. WS-Policy “Web Services Policy Framework“, BEA, IBM, Microsoft, SAP, December 2002. WS-PolicyAttachment “Web Services Policy Attachment Language“, BEA, IBM, and Microsoft, SAP, December 2002. WS-PolicyAssertions “Web Services Policy Assertions Language“, BEA, IBM, Microsoft, SAP, December 2002. W
6、S-Trust “Web Services Trust Language“, IBM, Microsoft, RSA, VeriSign, December 2002. WS-SecureConversation “Web Services Secure Conversation Language“, IBM, Microsoft, RSA, VeriSign, December 2002. WS-SecurityPolicy “Web Services Security Policy Language“, IBM, Microsoft, RSA, VeriSign, December 200
7、2. WS-FederationActive “Web Services Federation Language: Active Requestor Profile“, BEA, IBM, Microsoft, RSA Security, VeriSign, July 2003. WS-FederationPassive “Web Services Federation Language: Passive Requestor Profile“, BEA, IBM, Microsoft, RSA Security, VeriSign, July 2003. WS-ReliableMessagin
8、g “Web Services Reliable Messaging Protocol“, BEA, IBM, Microsoft, TIBCO, February 2003.,5,Semantic Web,T. B. Lee,6,WS Framework,SOAP Foundation,WS-Security,WS-Policy,WS-Trust,WS-Privacy,WS-Secure Conversation,WS- Federation,WS- Authorization,Standards Body,Published Specs,Unpublished Specs,7,Securi
9、ty Requirements,- Identity Management: Each entity must be able to identity itself to the party it wants to communicate with- Policy Management: Each entity enforces policies with other entities. E.g. message format, who has access to what, what one needs to process.- Secure Messaging: authenticatio
10、n, confidentiality, integrity, non-repudiation,8,WS Components,WS-Security (aka WSS)WS-Trust WS-Policy WS-SecurityPolicy,SOAP Message Security only does not cover other aspects of security for web services Issuance and exchange of security tokens not establishment and validation of trustPolicy defin
11、ition framework, does not describe how policies are managed How security information is passed, not how security policy is distributed or enforced,9,WS-Security,Describes how to secure SOAP messages Defines how to identify the creator of the message Carries multiple credential types including Messag
12、e Integrity Integrity of all or part of a message Builds on XML-Signature Supports multiple and overlapping signatures Message Confidentiality Confidentiality of all or part of a message Builds on XML-Encrypt,10,Securing SOAP Messages,WSS information stored in SOAP security header One or more securi
13、ty tokens carried in header to identify the transaction XML Signature blocks may be carried to provide integrity and link the identity to the transaction Key information within the security token may be used Privacy provided using XML encryption,wsse:,security token,signature,key info,11,Example, ID
14、=“MyToken” ,12,Security Tokens,Separate profiles define the format and usage rules of various token types Username/password Binary Security Tokens Encoding type like Base-64 allows inclusion in XRML X.509 Kerberos XML Tokens SAML XRML Common Biometric Format,13,WS-Policy,Framework for defining polic
15、ies parameters or assertions that affect web services WS-PolicyAttachment describes how policies are associated with a resource WS-PolicyAssertions defines a common set of assertions Establishes a mechanism for exchanging requirements between a web services provider and client Provides machine reada
16、ble policy statements that describe the operational parameters for interactions between a service and a client Supports negotiation of the parameters defined within a policy,14,WS-Policy,Policy is defined as a series of assertions Each has a usage (required, optional, rejected etc) and preference (r
17、anking of this assertion) Operators (all, exactlyone, oneormore) define how to evaluate child assertions WS-PolicyAssertions define common assertion types (TextEncoding, Language, SpecVersion) WS-PolicyAttachment supports a standalone option that allows a standalone description of the web service th
18、at the policy is associated with Or integrated with WSDL where a series of pointers reference a policy,15,WS-SecurityPolicy,Defines assertions that address security parameters SecurityToken identifies Types of security tokens accepted Issuer of the token Optional details about particular token types
19、 (e.g. what set of user names are supported) Integrity What parts of a message are signed XML signature algorithms used Parameters defining how the algorithm should be executed,16,WS-SecurityPolicy,Confidentiality What parts of a message are encrypted Algorithms and parameters used Visibility What p
20、arts of a message must be visible to intermediary web services SecurityHeader Constrains how the security header is processed MessageAge Acceptable message lifetime based on the WSS timestamp,17,WS-Trust,A Security Token Service (STS) issues tokens that can be used in WSS Forms the basis for several
21、 other WS-* standards (coming up) Token issuance, renewal and validation are handled by an STS The services of an STS may be required by web services and their clients Security tokens are a collection of claims about a resource The claims presented in security token are examined in the light of the
22、policy controlling the web service,18,Web Services Trust Model,Security Token Service,Policy,Security Token,Claims,Web Service,Policy,Security Token,Claims,Requestor,Policy,Security Token,Claims,19,WS-SecureConversation,Eliminates the overhead of carrying and validating authentication information in
23、 each message Establishes a mutually authenticated security context Multiple messages may be exchanged within this context Creates an end-to-end secured channel at the application layer Like SSL it is provides a session oriented authenticated and encrypted data pipe SSL is restricted to point-to-poi
24、nt sessions between intermediate nodes,20,WS Federation,21,WS Federation,Enable identity, account, attribute, authentication and authorization federation across different trust realms Requirements: Sharing of identity, authentication, and authorization Brokering of trust Local identities and not req
25、uired Optional hiding of identity information,22,Identity Sharing,23,Components,a friendly coalition,Accessing data,Component 1 Providers of data,Component 2 Providers of data,24,Federations and autonomy,Federations: need to share information Respect components autonomy Design, execution, communicat
26、ion, authentication and authorization autonomies. Tightly coupled vs. loosely coupled systems Who should control them? Also depends upon the access control paradigm discuss DAC and RBAC,25,Discretionary access control,The main point: Access control lists say who can access what ACLs have (subject, o
27、bject, action) triples In order to grant / deny permissions the access controller compares a request against the list,26,Our main problem,the coalition,Hi I am Jack, I need to write “foo”,Component 1 Who is Jack ? I know Jill,Component 2 I know Jane, I have something like “foo” But only Bob can get
28、it,27,Identity and authorization,By components, federation, together Issue: how would components know the identity of federation subjects ? Use subjects federation ID, access location etc. Use component ID: need to authenticate itself twice, or have no authentication at one of the levels. Assume the
29、 federations ID to access components data,28,Subject switching - issues,A federation users access request list may not match what the components offer. Option 1: Do not switch identity if there are no component subject with matching permissions Option 2: Do the best match possible. Over-permissions.
30、,29,Approximate access control ?,Alice (in the federation) wants: (read, A), (write, B), (exec C) Bob (in component 1)has (read A), (write, B) Carol (in component 2) has (read A), (write B), (exec C), (exec A) Whos permissions should Alice get? Bob get less !, Carol get more ?,30,Wijesekera et al.s
31、solution,Measure the difference between the requested permissions and permissions available for each subject from the components Give the best match What is best? Least over-permitting Least under-permitting How do we solve the identity crisis? Switch the requesters identity to the chosen victims id
32、entity within the federation,31,Identity switching for RBAC systems,32,Role based access control systems,Popular among military and business worlds Subjects, Roles, Permissions SubjectRole, RolePermission maps A subject gets all permissions assigned to a role Constraints: SoD etc, taken as binary,Su
33、bjects,Roles,Permissions,Fsr,Frp,33,Mapping RBAC federations,The Coalition,Exxon-Mobile,Exxon,Mobile,Need to map the complex structures of RBAC systems,34,Two steps of the mapping,The Holistic View of RBAC systems,RBAC Model of the federation,Component 1s RBAC Model,Component 2s RBAC Model,The first
34、 step,The second step,35,WS Federation Business Process,36,User and Transactional Security,User Security,Transactional Security,Business transaction model based on XML and Web Services Applications exchange transactions users are not directly involved Sender may not originate transactions; does not
35、know the final destination Security requirements are based on the content of transaction not the identity of the applications,Web Servers,37,Federation Token Exchanges,Security Token Service,Policy,Security Token,Web Service,Policy,Security Token,Requestor,Policy,Security Token,Trust Relationship,Tr
36、ust Domain 1,Trust Domain 2,1,2,3,4,38,Trust and Security Token Issuance,39,40,41,42,43,Security and Privacy - Today,Today transactions are secured using WSS toolkits to implement the Web Service security standards Usually support for X.509 Certificates or password credentials,HTML,SWS + password /
37、X.509 Cert,44,Security and Privacy “Tomorrow”,SAML Tokens for use in WSS security headers to support Federated Identities User Authentication supplied by CT/FIM Requests SAML assertions from SAML authority to build SAML tokens Crossover from Browser/User security world to Web Services,HTML,WSS + SAM
38、L Token,WSS with SAML,SAML Authority,Login,SAML Assertions,45,Security and Privacy “Tomorrow”,Web services infrastructure moves toward WS-Trust credential servers for token issuance and support of WS-Federation WS-Trust toolkits provide messaging and protocol support for development of clients and s
39、ervers,WSS+Token,WS-Trust,WS-Trust Credential Server,Tokens,WS-Federation Ids,WS-Trust Server Tk,46,WS Choreography Model,Describe the data and the relationship between them Format and structure of SOAP messages (WSDL + its extensions) Sequence and conditions in which the messages are exchanged Shar
40、ed common (“global”) definition,47,Web Services Meet Business Processes,Web Service 1,Web Service 2,Web Service 3,Web Service 4,Web Service 5,Web Service n,48,Example Problem Space,Client,PO Service,Credit Service,Inventory Service,Consolidate Results,49,Features,Reusability A choreography definitio
41、n is reusable in different contexts with different software and different message formats State Driven Processes or organizations that take part in choreographies maintain their state in the choreography Cooperative Organizations Describes how independent organizations or processes cooperate Verifia
42、ble Choreography definition can be used to verify that a Choreography is being followed correctly (How not yet defined) Multi-Party The specification allows Choreography Definitions with any number of organizations or processes involved Modular An “import“ facility allows separately define component
43、s to be imported,50,Other Features,Multi-Party Choreographies Any number of roles can take part One definition for all roles makes sharing easier Importing Definitions Allows reusability of individual definitions, e.g. messages, roles, etc Extending Choreography Definitions Allows one Choreography t
44、o extend another perhaps should be composition instead! Choreography Dependencies Once choreography can only execute after another, e.g. You can only query the state of a choreography if there is another choreography instance to query Semantic Definitions Two ways of defining semantics: in the XML,
45、or at a URL Multi-lingual,51,Orchestration vs. Choreography,Orchestration An executable business process describing a flow from the perspective and under control of a single endpoint (commonly: Workflow) Choreography The observable public exchange of messages, rules of interaction and agreements bet
46、ween two or more business process endpoints,52,Global Models,53,WS-CDL Global Models,A sequential process Client(open,close,request,reply) = open.request1.reply1.request2.reply2.close.0,54,WS-CDL Global Models,A repetitive process Client(open,close,request,reply) = open.request1.reply1.request2.reply2.close.Client(open,close,request,reply),55,WS-CDL Global Models,A process with choices to make IdleServer(o,req,rep,c) = o.BusyServer(o,req,rep,close) BusyServer(o,req,rep,c) = req.rep.BusyServer(o,req,rep,c) +c.IdleServer(o,req,rep,c),
