March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_5
XML Security vs Traditional (Network) security
Traditional Security:
•
Host-to-host or point-to-point security
•
Client/server oriented
•
Connection or connectionless oriented
•
Generically single/common trust domain/association
XML Security
•
Document oriented approach
◆
Security tokens/assertions and policies can be associated with the document or its
parts
•
Intended to be cross-domain
•
Potentially for virtual and dynamic trust domains (security associations)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_6
XML Security - Components
•
XML Signature
•
XML Encryption
•
Security Assertion
◆
SAML (Security Assertion Mark-up Language)
◆
XrML (XML Right Mark-up Language)
◆
XACML (XML Access Control Mark-up Language)
•
XKMS (XML Key Management Specification)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_7
XML Signature: Features
Fundamental feature: the ability to sign only specific portions of the XML tree
rather than the whole document.
•
XML document may have a long history when different component are authored
by different parties at different times
•
Different parties may want to sign only those elements relevant to them
•
Important when keeping integrity of certain parts of an XML document is
essential while leaving the possibility for other parts to be changed
•
Allows carrying security tokens/assertions on document/data rather than on
user/client
•
Provides security features for XML based protocols
◆
Provides basic functionality for state assertions
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_8
XML Signature structure
<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_9
XML Web Services
A Web Service is a software system identified by URI, whose public interfaces and
bindings are defied and described by XML. Other software systems may discover
and interact with the Web Service in a manner prescribed by its definition, using
XML based messages conveyed by Internet protocols.
•
Service oriented architecture for application-to-application interaction
◆
Describing Web services – WSDL
◆
Exchanging messages – SOAP extensions
◆
Publishing and Discovering WS descriptions - UDDI
•
Programming language-, programming model-, and system software-neutral
•
Standard based: XML/SOAP foundation
•
Industry initiatives (and development platforms)
◆
Sun SunONE/J2EE (SunONE Studio)
◆
Microsoft .NET (Visual Studio .NET)
◆
IBM Dynamic e-Business (AlphaWorks)
◆
XML Spy by Altova
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_10
XML WS - Service Oriented Architecture
• WSDL based Service
Description
• SOAP based messaging
over HTTP, SMTP,
TCP, etc.
• UDDI based
Publishing/Discovery
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_11
Web services features – three stacks
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_12
Web Service Description Language (WSDL)
•
WSDL is an XML document format
for describing Web service as a set of
endpoints operating on messages
containing either document-oriented
or procedure-oriented (RPC)
messages.
•
The operations and messages are
described abstractly and then bound to
a concrete network protocol and
message format to define an endpoint
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_13
WSDL Example – TimeService.wsdl
http://www.Nanonull.com/TimeService/
http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_14
Web Services Security Model
WS-Security model provides end-to-end security (as contrary to point-to-point)
allowing intermediaries
•
A Web service can require that an incoming message prove a set of claims (e.g.,
name, key, permission, capability, etc.).
◆
Set of required claims and related information is referred as a Policy.
•
A requester can send messages with proof of the required claims by associating
security tokens with the messages.
◆
Messages both demand a specific action and prove that their sender has the claim to
demand the action.
•
When a requester does not have the required claims, the requester or someone on
its behalf can try to obtain the necessary claims by contacting other Web
services.
◆
Security token services broker trust between different trust domains by issuing
security tokens.
Không có nhận xét nào:
Đăng nhận xét