SlideShare uma empresa Scribd logo

Web Service Security

Prabath Siriwardena
Prabath Siriwardena

@ApacheCon 2011

TecnologiaNotícias e política
1 de 37
Baixar para ler offline
Prabath  Siriwardena  –  Software  Architect,  WSO2  
Plan for the session Patterns Standards Implementations
Recurring Problems
Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
1995 1997
1999
2004
2005 SAML2 Web SSO
2008/May
Authentication Patterns Direct Brokered Authentication Authentication
Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
2006/April
2006/June
2008/2009
2008/2009
2008/2009
2007/Dec
2007/Dec
Authorization Patterns Direct Delegated Authorization Authorization
Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
2005/Feb
Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
Message  Level   SOAP Security UsernameToken Profile
SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
Message  Level   SOAP Security WS-Trust
Message  Level   SOAP Security Sender Vouches – Subject Confirmation
Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786
Web Service Security

Recomendados

WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-PolicyHayati Guvence
 
XML Signature
XML SignatureXML Signature
XML SignaturePrabath Siriwardena
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Eric Shupps
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 

Recomendados

WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 
Introduction To WS-Policy
Introduction To WS-PolicyIntroduction To WS-Policy
Introduction To WS-PolicyHayati Guvence
 
XML Signature
XML SignatureXML Signature
XML SignaturePrabath Siriwardena
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Eric Shupps
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 
Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security TestingJaipal Naidu
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
Rest
RestRest
Restmalikadnan78
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1Umar Ali
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOAWSO2
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
SOA Security
SOA Security SOA Security
SOA Security Pauli Kauppila
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009WSO2
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesPrabath Siriwardena
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...Spiffy
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Private Cloud
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Rahul Sule
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
Soa unit iv
Soa unit ivSoa unit iv
Soa unit ivsmitha273566
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Codecamp Romania
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 

Mais conteúdo relacionado

Semelhante a Web Service Security

Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security TestingJaipal Naidu
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1Umar Ali
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOAWSO2
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovskySunny Sreekanth
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009WSO2
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesPrabath Siriwardena
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...Spiffy
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Private Cloud
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Codecamp Romania
 

Semelhante a Web Service Security (20)

Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security Testing
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Rest
RestRest
Rest
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
Wcf difference faqs-1
Wcf difference faqs-1Wcf difference faqs-1
Wcf difference faqs-1
 
ESB and SOA
ESB and SOAESB and SOA
ESB and SOA
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
 
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
07 a breaking_xml_signature_and_encryption_-_juraj_somorovsky
 
SOA Security
SOA Security SOA Security
SOA Security
 
Oscon 2009
Oscon 2009Oscon 2009
Oscon 2009
 
The Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web ServicesThe Secured Enterprise: Leverage OpenID with Web Services
The Secured Enterprise: Leverage OpenID with Web Services
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
Microsoft Unified Communications - Introduction to Exchange Server 2010 (II) ...
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
 
Web security
Web securityWeb security
Web security
 
Soa unit iv
Soa unit ivSoa unit iv
Soa unit iv
 
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...Romulus Crisan - Information exchange using hybrid azure integration - codeca...
Romulus Crisan - Information exchange using hybrid azure integration - codeca...
 

Mais de Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

Mais de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 

Último

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Web Service Security

  • 1. Prabath  Siriwardena  –  Software  Architect,  WSO2  
  • 2. Plan for the session Patterns Standards Implementations
  • 4. Patterns Authentication Confidentiality Authorization Patterns Patterns Patterns
  • 5. 1995 1997
  • 6.
  • 9. 2005 SAML2 Web SSO
  • 11. Authentication Patterns Direct Brokered Authentication Authentication
  • 12. Direct Authentication for Web Services Transport  Level   Basic Authentication Mutual Authentication 2-legged OAuth
  • 13. Direct Authentication for Web Services Message  Level   UsernameToken Profile with WS-Security Signing – X.509 Token Profile with WS-Security
  • 14. Brokered Authentication for Web Services Transport  Level   Mutual Authentication 2-legged OAuth
  • 15. Brokered Authentication for Web Services Message  Level   WS-Trust / STS Resource  STS   WS-Federation Signing – X.509 Token Profile with WS-Security Kerberos Token Profile for WS-Security
  • 16.
  • 24. Authorization Patterns Direct Delegated Authorization Authorization
  • 25. Authorization ActAs  in  WS-­‐Trust  1.4   Patterns Direct Delegated Authorization Authorization
  • 27. Message  Level   Security Solution Patterns Message Interceptor Gateway Pattern Trusted Sub System Pattern
  • 28. Message  Level   SOAP Security UsernameToken Profile
  • 29. SOAP Security Key  Identifiers   Message  Level   X.509 Token Profile & Key Referencing Direct  References  
  • 30. Message  Level   SOAP Security Symmetric Binding Vs Asymmetric Binding
  • 31. SOAP Security •  WS-­‐Security  secures  SOAP  –  focuses  on   Message  Level   WS  –  Secure  Conversation   message  level  security   •  Focuses  on  a  single  message  authentication   model   •  Each  message  contains  everything  necessary   to  authenticate  it  self   •  Suitable  for  a  coarse  grained  messaging  in   which  a  single  message  at  a  time  from  the   same  requestor  is  received  
  • 32. Message  Level   SOAP Security •  What  SSL  does  at  the  transport  level  in  point-­‐to-­‐point   WS  –  Secure  Conversation   communication,  WS-­‐SecureConversation  does  at  the   SOAP  layer   •  Removes  the  need  of  individual  SOAP  message   carrying  authentication  information.   •  Establishes  a  mutually  authenticated  security  context   in  which  a  series  of  messages  are  exchanged.   •  Uses  public  key  encryption  to  exchange  a  shared   secret  and  then  onwards  uses  the  shared  key  
  • 33. Message  Level   SOAP Security WS-Trust
  • 34. Message  Level   SOAP Security Sender Vouches – Subject Confirmation
  • 35. Message  Level   SOAP Security Holder-of-Key – Subject Confirmation
  • 36. SOAP Security WS – Security Policy http://wso2.org/library/3132 http://wso2.org/library/3786