• Home

  • Documents

  • Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the...
37
Web Services Security Patterns, Practices & Threats Prabath Siriwardena – Software Architect, WSO2

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Tags:

Embed Size (px)

Citation preview

Page 1: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Web Services Security

Patterns, Practices

&

Threats

Prabath Siriwardena – Software Architect, WSO2

Page 2: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Patterns

Standards

Implementations

Plan for the session

Page 3: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Recurring Problems

Page 4: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Patterns

Authentication Patterns

Confidentiality Patterns

Authorization Patterns

Page 5: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

19951997

Page 6: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session
Page 7: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

1999

Page 8: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2004

Page 9: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2005

SAML2 Web SSO

Page 10: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2008/May

Page 11: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

AuthenticationPatterns

Direct Authentication

Brokered Authentication

Page 12: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Basic Authentication

Mutual Authentication

2-legged OAuth

Direct Authentication for Web Services

Transp

ort

Level

Page 13: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

UsernameToken Profile with WS-Security

Signing – X.509 Token Profile with WS-Security

Direct Authentication for Web Services

Mess

age L

evel

Page 14: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Mutual Authentication

2-legged OAuth

Brokered Authentication for Web Services

Transp

ort

Level

Page 15: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

WS-Trust / STS

WS-Federation

Brokered Authentication for Web Services

Mess

age L

evel

Signing – X.509 Token Profile with WS-Security

Kerberos Token Profile for WS-Security

Resource STS

Page 16: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session
Page 17: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2006/April

Page 18: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2006/June

Page 19: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2008/2009

Page 20: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2008/2009

Page 21: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2008/2009

Page 22: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2007/Dec

Page 23: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2007/Dec

Page 24: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

AuthorizationPatterns

Direct Authorization

Delegated Authorization

Page 25: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

AuthorizationPatterns

Direct Authorization

Delegated Authorization

ActAs in WS-Trust 1.4

Page 26: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

2005/Feb

Page 27: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Message Interceptor Gateway Pattern

Trusted Sub System Pattern

Security Solution PatternsM

ess

age L

evel

Page 28: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

UsernameToken Profile

SOAP SecurityM

ess

age L

evel

Page 29: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

X.509 Token Profile & Key Referencing

Mess

age L

evel

SOAP Security

Key Identifiers

Direct References

Page 30: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Symmetric Binding Vs Asymmetric Binding

Mess

age L

evel

SOAP Security

Page 31: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Mess

age L

evel

SOAP Security

• WS-Security secures SOAP – focuses on message level security

• Focuses on a single message authentication model

• Each message contains everything necessary to authenticate it self

• Suitable for a coarse grained messaging in which a single message at a time from the same requestor is receivedW

S –

Secu

re C

onvers

ati

on

Page 32: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Mess

age L

evel

SOAP SecurityW

S –

Secu

re C

onvers

ati

on

• What SSL does at the transport level in point-to-point communication, WS-SecureConversation does at the SOAP layer

• Removes the need of individual SOAP message carrying authentication information.

• Establishes a mutually authenticated security context in which a series of messages are exchanged.

• Uses public key encryption to exchange a shared secret and then onwards uses the shared key

Page 33: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

WS-Trust

Mess

age L

evel

SOAP Security

Page 34: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Sender Vouches – Subject ConfirmationMess

age L

evel

SOAP Security

Page 35: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Mess

age L

evel

SOAP Security

Holder-of-Key – Subject Confirmation

Page 36: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

WS-Security Policy

Mess

age L

evel

SOAP Security

Page 37: Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session

Thank You…!!!

[email protected]


Prabath Siriwardena | Johann Nallathamby

Prabath Siriwardena | Johann Nallathamby

Documents
WS - Security Prabath Siriwardena Director, Security Architecture

WS - Security Prabath Siriwardena Director, Security Architecture

Documents
WSO2 Product Release Webinar - WSO2 Complex Event Processor

WSO2 Product Release Webinar - WSO2 Complex Event Processor

Technology
XML Signature Prabath Siriwardena Director, Security Architecture

XML Signature Prabath Siriwardena Director, Security Architecture

Documents
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0

WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0

Technology
QCon London 2012...© WSO2 2012 @pzfreo #wso2 The evolution of integration QCon London 2012 Paul Fremantle CTO and Co-Founder, WSO2 paul@wso2.com© WSO2 2012 @pzfreo #wso2 File …

QCon London 2012...© WSO2 2012 @pzfreo #wso2 The evolution of integration QCon London 2012 Paul Fremantle CTO and Co-Founder, WSO2 [email protected]© WSO2 2012 @pzfreo #wso2 File …

Documents
WSO2 Product Release Webinar Introducing the WSO2 Message Broker

WSO2 Product Release Webinar Introducing the WSO2 Message Broker

Documents
WSO2 Platform Overview - WSO2 Meetup 01 - 16th Oct 2014

WSO2 Platform Overview - WSO2 Meetup 01 - 16th Oct 2014

Software
WSO2 Product Release Webinar: WSO2 Enterprise Mobility Manager 2.0

WSO2 Product Release Webinar: WSO2 Enterprise Mobility Manager 2.0

Technology
WSO2 Governance Registry and WSO2 API Manager Integration

WSO2 Governance Registry and WSO2 API Manager Integration

Technology
سیو سو کیام یرامعمncaea2019.sharif.edu/images/Slides/Microservices_Mahjoorian.pdf · Microservices for the Enterprise, Kasun Indrasiri & Prabath Siriwardena (2018)

سیو سو کیام یرامعمncaea2019.sharif.edu/images/Slides/Microservices_Mahjoorian.pdf · Microservices for the Enterprise, Kasun Indrasiri & Prabath Siriwardena (2018)

Documents
WS – Security Policy Prabath Siriwardena Director, Security Architecture

WS – Security Policy Prabath Siriwardena Director, Security Architecture

Documents
WSO2 Product Release webinar - WSO2 BAM 2.5

WSO2 Product Release webinar - WSO2 BAM 2.5

Technology
Integration Patterns with WSO2 ESB and WSO2 BPS

Integration Patterns with WSO2 ESB and WSO2 BPS

Technology
Wso2 product release webinar wso2 carbon 4.3

Wso2 product release webinar wso2 carbon 4.3

Documents
Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath

Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath

Documents
WSO2 Product Release webinar - The WSO2 ESB 4.8.0

WSO2 Product Release webinar - The WSO2 ESB 4.8.0

Technology
WSO2 Product Release webinar - WSO2 Message Broker 2.2.0

WSO2 Product Release webinar - WSO2 Message Broker 2.2.0

Technology
WSO2 Product Release webinar - WSO2 Carbon 4.3

WSO2 Product Release webinar - WSO2 Carbon 4.3

Technology
WSO2 Product Release Webinar: WSO2 Complex Event Processor 4.0

WSO2 Product Release Webinar: WSO2 Complex Event Processor 4.0

Technology
Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION

Microservices Security Landscape · [email protected] | [email protected]. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION

Documents
1. niro siriwardena qof transparency

1. niro siriwardena qof transparency

Documents
Api security-eic-prabath

Api security-eic-prabath

Technology
Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and WSO2 CEP

Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and WSO2 CEP

Technology
Prabath Visualizing Indicators - University of California

Prabath Visualizing Indicators - University of California

Documents
XML Encryption Prabath Siriwardena Director, Security Architecture

XML Encryption Prabath Siriwardena Director, Security Architecture

Documents
CV Prabath

CV Prabath

Documents
WSO2Con USA 2017: WSO2 Partner Program – Engaging with WSO2

WSO2Con USA 2017: WSO2 Partner Program – Engaging with WSO2

Technology
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server

Documents
WSO2 Product Release Webinar: WSO2 API Manager 1.10

WSO2 Product Release Webinar: WSO2 API Manager 1.10

Technology