1 / 30

Web Service Security Through A Guard

Web Service Security Through A Guard. Roxanne Yee Home Institution: University of Hawai ʻ i at Mānoa Internship Site: Akimeka, LLC Mentor: Marc Lefebvre Advisor: Todd Lawson. Presentation Overview. Project Hierarchy and Motivation Background and Terminology Guard Web Service Security

makya
Download Presentation

Web Service Security Through A Guard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Service Security Through A Guard Roxanne Yee Home Institution: University of Hawaiʻi at Mānoa Internship Site: Akimeka, LLC Mentor: Marc Lefebvre Advisor: Todd Lawson

  2. Presentation Overview • Project Hierarchy and Motivation • Background and Terminology • Guard • Web Service Security • My Specific Part • Test Bench • An Example • Questions

  3. Information Assurance (IA) Group • Cross Domain Solutions (CDS) Group • GWSG (Global Web Services Gateway) Project • Service Oriented Architecture (SOA) Test Lab • Customers • National Security Agency (NSA) • Defense Information Systems Agency (DISA)

  4. GWSG Project Motivation • Goal • To enhance the capabilities of a user on a classified network to gain immediate access to data available on an unclassified network Classified Network User Unclassified Database

  5. Classified Database Unclassified Database Classified Network User (Soldier) Sneaker-net GWSG Project Motivation • One Method Currently Used To Access Data

  6. GWSG Project Motivation • Disadvantages to Current Methods • Redundancies of Data • Time Costly • Replication • Transportation • Need For Data Synchronization • Frequent Updates • No Guarantee of Data Availability • Extra Manpower by Man-In-The-Loop

  7. GWSG Project Motivation • New Cross Domain Solution (CDS) • Web Services Technology Unclassified Database Classified Network User (Soldier) Guard

  8. SOA Test Lab Component • Goal • Evaluate Guards Specified by NSA and DISA • Compare capability and effectiveness to process message formats used by web services today • Provide the best guard solution given a specific situation in which the guard would be applied

  9. My Part In The SOA Test Lab • Research and Document How To Implement Web Service Security • Controlled and Predictable Environment • Test Web Service • Findings To Be Used In SOA Test Lab • Foundation • Template

  10. WSS, SOAP, and HTTP • WSS or WS-Security (Web Service Security) • OASIS (Organization for the Advancement of Structured Information Standards) • Applied to SOAP Messages • SOAP (Simple Object Access Protocol) • Message Format • HTTP (Hypertext Transfer Protocol) • Transport Protocol

  11. The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Request and SOAP Response

  12. The Project: Open-Source Software • Server Side • Tomcat 6.0.16 • Axis2 1.4 • Rampart 1.4 • Client Side • soapUI 2.0.2

  13. The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Request with WSS

  14. soapUI Outgoing Configuration Interface Used to Apply WSS to Request To Server

  15. A SOAP Message Request w/o WSS <soap: Envelope xmlns:soap=“http//sample01.policy.samples.rampart.apache.org” xmlns:sam=“http://www.w3.org/2003/05/soap-envelope”> <soap:Header/> <soap:Body> <sam:echo> <!--Optional:--> <sam:param0>Hello?</sam:param0> </sam:echo> </soap:Body> </soap:Envelope> Usual Request soapUI Sends w/o WSS

  16. A SOAP Message Request Header with WSS <soap:Header> <wsse:Security soap:mustUnderstand=“true” xmlns:wsse=“http://…secext-1.0.xsd”> <wsse:UsernameToken wsu:Id=“UsernameToken-22786527” xmlns:wsu:=“http://…utility-1.0.xsd”> <wsse:Username>alice</wsse:Username> <wsse:PasswordType=“http://... wss-username-token- profile-1.0#PasswordText”>bobPW </wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> Additional WSS Informational Applied To Usual Request soapUI

  17. The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Response with WSS

  18. services.xml Without Rampart <?xml version="1.0" encoding="UTF-8"?> <service> <operation name="echo"> <messageReceiver class= "org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false"> org.apache.rampart.samples.policy.sample01.SimpleService </parameter> <module ref="addressing" /> <!-- RAMPART CONFIGURATION MAY OCCUR HERE --> </service> Usual Configuration Scheme For A Service on The Server

  19. services.xml with Rampart <module ref="rampart" /> <wsp:Policy wsu:Id="UT" xmlns:wsu="http://…” xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All> <sp:SupportingTokens xmlns:sp="http://…/securitypolicy"> <wsp:Policy><sp:UsernameToken sp:IncludeToken= "http://…/IncludeToken/AlwaysToRecipient"/> </wsp:Policy> </sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://…> <ramp:user>username</ramp:user> <ramp:passwordCallbackClass> org.apache.rampart.samples.policy.sample01.PWCBHandler </ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All></wsp:ExactlyOne></wsp:Policy> Additional Code To Tell Rampart What Type of WSS To Expect

  20. The Project: Test Bench • Client and Server on same computer • Communicate through localhost interface Client (soapUI) Server (Axis2) * SOAP Messages with WSS

  21. Classified Unclassified XML Firewall Guard XML Firewall * SOAP over HTTP with WSS * Proprietary Format over Proprietary Protocol The Project: Ultimate Purpose Client (soapUI) Server (Axis2) localhost

  22. WSS Mechanisms Attempted • User Name Token • Username and Password • Timestamp • Time to Live • Encryption • Confidentiality • Signature • Integrity and Authentication

  23. An Example: Test Web Service Client “Hi!” Server “Hi!”

  24. An Example: Valid User Name Token Client Correct Username And Password Server Echo

  25. An Example: Invalid User Name Token Client Incorrect Username And/Or Password Server Error

  26. An Example: Test Results

  27. Actual SOA Test Lab Setup

  28. Acknowledgements VP Operations Matt Granger Program Manager Todd Lawson Mentor Marc Lefebvre GWSG Bryan Berkowitz Casey McGinty Scott Oshita Christopher Paris Derek Terawaki Helpful Coworkers Conrado Cortez Deanna Garcia Mark Mizubayashi Former Cubiclemates Ellen Federoff Kelly Ledford And Everyone Else Who Made Me Feel Welcome!

  29. Acknowledgements Maui Akamai Internship Program Funding Center for Adaptive Optics (CfAO) • National Science Foundation and Technology Center Grant (#AST-987683) Akamai Workforce Initiative • National Science Foundation Grant and Air Force Office of Scientific Research Grant (#AST-0710699) • University of Hawaiʻi Grant Program Staff Lisa Hunter Lani LeBron Scott Seagroves Lynne Raschke Short Course Instructors Dave Harrington Ryan Montgomery Isar Mostafanezhad Mark Pitts Sarah Sonnet And Everyone Else Who Contributed To This Valuable Experience!

  30. Thank you! Any Questions?

More Related