Embed Size (px)
Citation preview
Using WSS4J and Axisto Secure Web Servicesin the U. S. Government
Kevin T. Smith
Technical Director,
McDonald Bradley Inc.
Agenda • Introduction • Part 1 – Web Services Security Implementation
for the Government’s Horizontal Fusion Program
• Part 2 – Web Services Security for a Not-To-Be-Named Current Government Program
• Part 3 – Resources, code, etc.
Introduction • Kevin T. Smith
– Director of SOA & Semantics Security Team (S3T) at McDonald Bradley
– Focused on Information Assurance & SOA
• Author/Co-Author of Several Technology Books and Articles
• Contact Info: – [email protected] or
Part 1: Horizontal Fusion
What is Horizontal Fusion (HF)?• From Web Site (http://www.horizontalfusion.dtic.mil/) :
– “As an award-winning effort consistent with the goals and guidance for military transformation, Horizontal Fusion has been organized to focus technology on the information-sharing challenges of net-centric warfare and to demonstrate innovation and benefit quickly…”
– “Horizontal Fusion deploys web-services to leverage existing and emerging technologies in a secure environment.”
• From A Technology Perspective: – Lots of Data, Everything exposed as web services– Large amount of data, many participants, large amount of services– Much web service chaining, federated search capabilities – Government requirements mandated very strong security
HF Technology History • 2003 – Initial Phase, Deployment of
Many Web Services • 2004 - Developed Security Toolkit using
Apache WSS4J & Apache Axis handlers – Done for Axis 1.1 and 1.2– Used WSS4J “snapshot” at that point +
OpenSAML (updated WSS4J in early ’05)
• 2004-Present : In Production
HF Message Format:NCES Security SOAP Messaging
Net-Centric Enterprise Services http://www.disa.mil/main/prodsol/cs_nces.html
Use of SAML for Access Control • For Message Requests:
– Security Roles of the User is sent in SAML in the SOAP Header
– The Clearance of the Subject is sent in SAML– The Security Label of the Subject’s Request is also
in SAML
• For Message Responses:– The Security Label of the Response is set by the
Web Service– The Server Handler Response Controls Access
Based On The Label That Was Returned By the Web Service
– If Label is Authorized for User, Server Handler Creates The Return Message, entering Security Label of the Message, and Digitally Signing The Message Before It is returned to the Requester
Authentication Statement
Subject Clearance
Attribute Statement Subject Message Label
Attribute Statement
Subject Security Roles Attribute Statement
SAMLAssertion
Subject Message Label
Attribute Statement
SAMLAssertion
In Request:
In Response:
Back to Message Format: Use of SAML for Access Control
-If SAML contains attributes And local policy is expressed,“local” PDP was used -If SAML contains only identity,“central” PDP was used
About Our Use of Axis Handlers • Security Handlers create secure messages
– A Client Handler (on request) adds a WS-Security Header with a SAML Assertion on behalf of a subject (the user) (Client RequestFlow)
– A Server Handler (on response) creates a WS-Security Header on behalf of the Web Service (Server Response Flow)
• Security Handlers validate messages– A Server Handler (on request) validates a web service message, can control access by role –
before the web service is called (Server RequestFlow) – A Client Handler (on response) validates the message created by the web service (Client Response
Flow)
Web Service Client Client
HandlerServer
Handler
WebService
Web Service Client Requests
• WS Client creates a “SecurityInfo” object and places it in the MessageContext for Apache Axis to use
– SecurityInfo object contains information about the Message being sent and the Subject for which the message is being sent
– Simple Example of Instantiating SecurityInfo:
– Examples of Passing the information to Axis:
javax.xml.rpc.Call call = vs.createCall(new QName(NS,port), "getVersion"); call.setProperty("SECURITY_INFO", sinfo) System.out.println(call.invoke(null));
VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("SECURITY_INFO", sinfo); Version v = (Version)stubby; System.out.println(v.getVersion());
SecurityInfo sinfo = new SecurityInfo("cn=Kevin T. Smith, o=McDonald Bradley, c=US"); sinfo.addRole("user.operator"); sinfo.addRole("user.analyst"); sinfo.addSubjectClearanceDataItem("S"); sinfo.addSubjectCitizenshipDataItem("USA"); sinfo.addMessageClassificationDataItem("S");
WS Client
Axis Client Request Flow
• Client Handler intercepts the message as part of the Axis Handler Chain
• Client Handler pulls the SecurityInfo object from the MessageContext– SecurityInfo = (SecurityInfo)messageContext.getProperty(“SECURITY_INFO”);
• Client Handler builds the WS-Security Header with WSS4J
– Adds unique MessageId
– Adds Timestamp
– Adds SAML Assertion with data from SecurityInfo object.
– Signs MessageId, Timestamp, SAML Assertion, and Message Body with certificate to create NCES Security-Compliant Message
WS Client
ClientHandler
Axis Server Request Flow
• Server Handler intercepts the request message as part of the Axis Handler chain
• Access Control:– Calls a service to check revocation status of certificate
– Validates the signatures on the message
– Verifies the Timestamp is within a configurable window & verifies that messageID has not been previously used to prevent replay attack
– Determines if Subject can access this Service, based on attributes in SAML assertion & locally expressed policy, or via a call to Policy Service
– If any of these fail, throws a SOAP fault
• Creates a SecurityInfo object from the SAML assertion passed in
• Web Service gets the message
WS Client
ClientHandler
ServerHandler WS
Axis Server Response Flow
• After processing the request, Web Service creates a SecurityInfo object for the label of the data and places it in the MessageContext before sending the response message.
• Axis Server Handler intercepts the message as part of the Axis Handler chain.– Determines if the message contains a SOAP Fault. If so, it stops
processing
– It creates a NCES Secure message, but the SAML assertion now has the label of the data (no user information)
ServerHandler
WSWS Client
ClientHandler
Client Response Flow
• Response from server is intercepted by the Client Handler as part of the Axis Handler chain
• If SOAP Fault is found in the message no authentication of message is done
• Calls a service to check revocation status of certificate • Signature on MessageId, Timestamp, SAML Assertion, and Message
body is verified.
• MessageId uniqueness is verified.
• Timestamp is validated against allowed window.
• Message is returned to client for processing.
ServerHandler
WSWS Client
ClientHandler
Common Usage Example
ServerHandler
Portal
1.
ClientHandler
3.
5.2.
17.18.
20.
CVS4.4.
IFIS
6.7.
ClientHandler
8.
ServerHandler
11.
PDS10.10.
9.
SWS Provider
12.
13.
14.16.
CVS
15.15.
19.
Use of WSS4J in Axis Handlers• Original development in 2004, used it with
OpenSAML (it wasn’t a part of it back then)• Didn’t use WSS4J handlers, but used WSS4J
objects with DOM manipulation to create security messages & validate them:
/* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants);/* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/
/* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP);WSSignEnvelope signer = new WSSignEnvelope();signer.setKeyIdentifierType(m_keyid);signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto());
/* On validate.. */WSSecurityEngine engine = new WSSecurityEngine();engine.processSecurityHeader(doc, null, null, crypto);
Web Service Approach to Labels and Mandatory Access Control
• MAC enforcement functionality at the Handler Level• On Request:
– Authenticating Web Service Client sets clearance and citizenship of user and security label of message
– Client Handler adds this to the message before signing It– Web Service Server Handler controls access based on message label, security label
– based on “high water mark” of intended web service – Web Service, before it responds, can set a security label on response message
• On Response:– Server Handler gets security label of message from WS returning data – Server Handler controls label access based on user’s clearance, and the security
label of message– Server Handler creates message with label– Client Handler validates message – Web Service Client Gets Response
Use of WSS4J in Axis Handlers• Original development in 2004, used it with
OpenSAML (it wasn’t a part of it back then)• Didn’t use WSS4J handlers, but used WSS4J
objects with DOM manipulation to create security messages & validate them:
/* Create a WS-Security header in original document*/ Element securityHeader = WSSecurityUtil.getSecurityHeader(WSSConfig.getDefaultWSConfig(), originalDoc, actor, soapConstants);/* Add more stuff to security header.. (left out for brevity)*/ /* Then programatically add things to security header – SAML, Timestamp, WS-Addressing MessageID, etc*/
/* Now, sign parts.. */ Vector signParts = new Vector(); WSEncryptionPart samlP = new WSEncryptionPart("Assertion", SAMLUtils.NAMESPACE, "SAML"); signParts.add(samlP);WSSignEnvelope signer = new WSSignEnvelope();signer.setKeyIdentifierType(m_keyid);signer.setUserInfo(alias, pass); signer.setParts(signParts); Document signedDoc = signer.build(originalDoc, sloader.getCrypto());
/* On validate.. */WSSecurityEngine engine = new WSSecurityEngine();engine.processSecurityHeader(doc, null, null, crypto);
Original Code on HF Web Site
• Code with ANT build, examples, sample keystores was put on government site in 2004
• http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip
Part 2: Use of WSS4J & Axis
In Current Gov’t Program
Security Architecture• Mutual SSL authentication
between browser and web application to authenticate user identity
• 2-way SSL between web application and web services to assert message sender identity
• X.509 Certificate in WS-Security header used to assert user identity
• WS using another security framework on back-end, but needed something on client side: Tomcat & Axis & WSS4J
ESB
Data Services
JDBC
Web Service
Data Data
Web Application
GUI
Data
WS
GUI
JDBC
WS-Security
X.509 Certificate
Token Profile over
2-way SSL
Browser
Roles
INFOSECBoundary
2-way SSL
A Glance at Axis/WSS4J Code//In Servlet/JSP code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); //.. //Put that in the property Axis uses VersionServiceLocator vsl = new VersionServiceLocator(); Stub stubby = (Stub)vsl.getVersion(); stubby._setProperty("CLIENT_CERT", certs[0]); //passes in the X509Certificate object Version v = (Version)stubby; System.out.println(v.getVersion());
//In client request handler: X509Certificate cert = (X509Certificate)inoutContext.getProperty("CLIENT_CERT");
/* Make a binarySecurityToken element */ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document doc = builder.newDocument(); org.apache.xml.security.Init.init(); X509Security binaryToken = new X509Security(doc); binaryToken.setX509Certificate(cert);
/* Now create a WS-Security Header, and put the Binary Token Under It */ WSSecHeader wsh = new WSSecHeader(); wsh.setMustUnderstand(false); Element e = wsh.insertSecurityHeader(origDoc); Node dup = origDoc.importNode(binaryToken.getElement(), true); e.appendChild(dup); Message newMsg = (Message)toSOAPMessage(origDoc); inoutContext.setRequestMessage(newMsg);
Conclusion• We found that WSS4J and Apache Axis were easy
to use to build a complex Web Services Security Solution
• Interoperability issues –– Originally (in early 2004) WS-Security namespace
changes made interoperability difficult – Now, no such problems – interoperates with .NET
solutions, and Axis client handler with WSS4J in current project interoperates well with BEA weblogic ALSB security subsystem.
Questions?
