Enterprise Java Security. Building Secure J2EE Applications
Authors: Pistoia M., Nagaratnam N., Koved L.
Published year: 2004
|< Day Day Up >|
14.6 Web Services Security Model Principles
Web services can be accessed by sending SOAP messages to service end points identified by URIs, requesting specific actions, and receiving SOAP-message responses, including fault indications . Within this context, the broad goal of securing Web services breaks into the subsidiary goals of providing facilities for securing the integrity and confidentiality of the messages and for ensuring that the service acts only on requests in messages that express the claims required by policies.
Today, the SSL and TLS protocols are used to provide transport-level security for Web Services applications. These protocols offer several security features, including authentication, data integrity, and data confidentiality and enable point-to-point secure sessions. As a network-layer standard for transport security, IPSec may become important for Web Services. Like SSL and TLS, IPSec also provides secure sessions with application-level authentication, data integrity, and data confidentiality.
Today's Web Services application topologies include a broad combination of mobile devices, gateways, proxies, load balancers, DMZs, outsourced data centers, and globally distributed, dynamically configured systems (see Section 2.1 on page 23 and Section 6.2 on page 192). All these systems rely on the ability of message-processing intermediaries to forward messages. Specifically, the SOAP messaging model operates on logical end points that abstract the physical network and application infrastructure and therefore frequently incorporates a multihop topology with intermediate actors or roles.
When data is received and forwarded by an intermediary beyond the transport layer, both the integrity of data and any security information that flows with it may be lost. This forces any upstream message processors to rely on the security evaluations made by previous intermediaries and to completely trust their handling of the content of messages. The key point here is that sensitive information is transferred into the clear and is vulnerable to attackcombined with the fact that these intermediary systems are often edge processors, which makes them more susceptible to attack. Therefore, a comprehensive Web Services security architecture needs a mechanism that provides end-to-end security as opposed to point-to-point security. A comparison of these two approaches is shown in Figure 14.1. Successful Web Services security solutions will be able to leverage network-, transport-, and application-layer security mechanisms to provide a comprehensive suite of security capabilities.
Figure 14.1. Point-to-Point and End-to-End Configurations
The Web Services security model described herein enables us to achieve these goals by a process in which
This model is illustrated in Figure 14.2, showing that any requester may also be a service and that the security-token service may also fully be a Web service, including expressing policy and requiring security tokens.
Figure 14.2. Web Services Security Model
This general messaging security model claims, policies, and security tokenssubsumes and supports several more specific models, such as identity-based security, access-control lists, and capabilities-based security. The model allows use of existing technologies, such as X.509 public-key certificates, Kerberos shared-secret tickets, and even password digests, and provides an integrating abstraction allowing systems to build a bridge between security technologies. The general model is sufficient to construct higher-level key exchange, authentication, authorization, auditing, and trust mechanisms.
One of the security principles expressed in Figure 14.1 and introduced in WS-Security is the ability to provide an end-to-end propagation of a security context. This constitutes the goals and cornerstone for the Web Services security model shown in Figure 14.2. The set of the Web Services security specifications is shown in Table 14.1.
Table 14.1. Web Services Security Specifications
WS-Security provides the basis for the other security specifications, including a comprehensive Web Services messaging security model as described in Table 14.1. Layered on this is a policy layer , which includes WS-Policy, the Web Services Trust Language specification (WS-Trust), and Web Services Privacy Language specification (WS-Privacy). Together, these initial specifications provide the foundation on which to establish comprehensive, secure, and interoperable Web services across trust domains.
Building on these initial specifications, the federation layer includes specifications for federated security , which includes a Web Services Secure Conversation Language specification (WS-SecureConversation), a Web Services Federation Language specification (WS-Federation), and a Web Services Authorization Language specification (WS-Authorization). The combination of these security specifications enables many scenarios (such as the one described in Section 14.8 on page 518) that would be difficult to implement with today's basic security mechanisms.
14.6.1 Web Services Message Security
A signed security token is asserted and cryptographically signed by a specific authority. For example, an X.509 certificate, which asserts a binding between one's identity and public key, is an example of a signed security token. Similarly, a Kerberos ticket represents a signed security token. Conversely, a user ID is an unsigned security token.
A SOAP header provides a mechanism for associating the signature with the claims in a security token. There are several things to note.
As we have observed , security-token claims can be either endorsed by an authority or left unendorsed. A set of endorsed claims is usually represented as a signed security token that is digitally signed or cryptographically protected by the authority. A security token can be pushed , or carried in a message, or the security token can be a reference that the receiver can use to pull the claim from the referenced authority.
Another aspect of a security model is the articulation of a trust relationship. Security tokens are useful within a trust domain. A trust domain can be articulated through a manual process, an agreement, or the implementation of a set of rules enforcing the trust policy. An unendorsed claim can thus be trusted given any established trusted channel between the sender and the receiver. For example, the unendorsed claim that the sender is Bob is sufficient for a certain receiver to believe that the sender is in fact Bob, if the sender and the receiver use a connection with a sufficient protection and there is a trusted channel between them (see page 522).
One special type of unendorsed claim is a proof-of-possession , data that is used in a proof process to demonstrate the sender's knowledge of information that should be known only to the claiming sender of a security token. Such a claim produces evidence that the sender has a particular piece of knowledge that is known to, or verifiable by, only appropriate actors. For example, a user ID and password pair is a security token with this type of claim. When a proof-of-possession is involved, the receiver decides whether the evidence produced is sufficient proof. This type of evidence is sometimes combined with other security tokens to prove the claims of the sender. Note that a digital signature applied to a message for the purposes of message integrity can also be interpreted as evidence of possession of part of the key pair, although in the WS-Security specification, a digital signature is not considered as a type of security token.
Protecting the message content from unauthorized access ( confidentiality ) and/or modification ( integrity ) are primary security concerns. The WS-Security specification provides a means to protect a message by encrypting and/or digitally signing the contents of the body or the header of the message.
WS-Policy provides a general-purpose framework and corresponding syntax to describe and communicate the policies of a Web service. WS-Policy defines a base set of constructs that can be used and extended by other Web Services specifications to describe a broad range of service requirements, preferences, and capabilities.
The Web Services policy specification, detailed in Figure 14.3, includes
Figure 14.3. Set of WS-Policy Specifications
WS-Policy is designed to allow extensibility. Policy is a broad term that encompasses a range of disciplines, such as security, reliability, and privacy. Similarly, the ability to express policies is not limited to the expression of general policies or security policies. The set of WS-Policy specifications shown in Figure 14.3 adds another mechanism to the WS-Security portfolio, but policy expression is not limited to security policies. The intent is for the basic policy framework to accommodate the expression of domain-specific policy languages in a way that leverages domain knowledge within a consistent Web Services framework.
WS-PolicyAttachment offers several ways to advertise policy assertions for Web services. It builds on the existing WSDL and UDDI specifications but also supports extensibility. It allows for combining domain-specific policies with common policies for Web services. A typical example is a requesting Web service that may look for a service provider that offers processing in a particular human language, such as Italian. The requesting Web service thus applies a policy assertionthe need for Italian-language support. The provider could also make this assertion by advertising that it can offer its service in Italian. The WS-PolicyAssertions language offers this type of common policy expression by defining a generic set of policy assertions for Web services.
Security is a domain. To illustrate security policies, the WS-SecurityPolicy specification expresses assertions needed to support security tokens, integrity, and confidentiality as defined in WS-Security.
As we discuss in Section 14.6.3, in the Web Services paradigm, the trust between a service requester and a service provider is established through the exchange of information between the two parties in an expected and understood manner. The description of this expected behavior within the security space can be called a trust policy . The WS-Policy framework supports trust partners ' expressing and exchanging their statements of trust. Often, this expression of a broad level of trust between entities is built on the exchange of security tokens to provide the elements for a secure conversation.
The WS-Trust specification starts the work of defining trust relationships by defining a set of interfaces for requesting security tokens. It is designed to support the creation of multiple security-token formats, as described in WS-Security, to accommodate a variety of security practices, including authentication, authorization, and secure conversations.
In general, a Web service has a policy applied to it, receives a message from a requester that possibly includes security tokens, and may have some protection applied to it using Web Services security mechanisms. For example, a Web service security configuration requires that the Web service requester provide an authorization token in order to access certain service enhancements. The authorization token might be generated by a security-token service, which takes in a proof of identity and a request for a signed claim that the named identity has a particular business certification. This authorization token can then be supplied in a request to the Web service, which has expressed trust in such a signed claim.
The trust engine of a Web service performs the following key steps:
If these conditions are met and the requester is authorized to perform the operation, the Web service can process the Web service request within the specified trust model.
Asserting trust can be done in many ways, and assessing the presence of a trust relationship can be done by either of two methods. WS-Trust describes these two methods , which depend on whether the assessment is based on information from within a message flow ( in- band ) or external to a message flow ( out-of-band ).
WS-SecureConversation takes the designation of trust based on security tokens to the next level by demonstrating how tokens can be used within the context of these policy-defined trusted relationships to allow requesters and providers to securely exchange information over the duration of a conversation. Whereas WS-Trust defines the behavior of overall trust relationships, WS-SecureConversation focuses on defining a security contextsecurity tokenfor secure communications.
The purpose of WS-Privacy is to descibe the syntax and semantics for binding privacy policies to Web services and instances of data in messages. The main emphasis of WS-Privacy lies in enabling policies to be processed by Web service providers and requesters, in contrast to interfacing to human users on a precise meaning and on usability in chains of Web services within or across enterprises . WS-Privacy builds on WS-Policy and related standards. WS-Privacy does not define a new privacy-policy language but offers the means to bind such existing languages to a Web service.
Federation is the overall term used to refer to the set of distinct, heterogeneous enterprises that wish to provide a user with a single-sign-on, ease-of-use experience. Enterprises can be corporate entities, Internet service providers, or associations of individuals. A federated environment differs from a traditional single-sign-on environment in that no preestablished rules limit how enterprises transfer information about a user. Policy rules may have been preestablished for an enterprise's participation in the federation. Within a federated environment, enterprises provide services that deal with authenticating users, accepting authentication assertions also referred to as authentication tokens supplied by other enterprises, and providing some form of translation of the identity of the vouched-for user into one that is understood within the local enterprise. Therefore, the goal of WS-Federation is to define mechanisms that are used to enable identity, attribute, authentication, and authorization federation across trust domains.
The purpose of WS-Authorization is to describe how access policies for a Web service are specified and managed. In particular, the goal is to describe how claims may be specified within security tokens and how these claims will be interpreted at the end point.
The goal of WS-Authorization is to be flexible and extensible with respect to both authorization format and authorization language. This enables the widest range of scenarios and ensures the long-term viability of the security framework.
Let us use a travel agency scenario to illustrate some of these concepts. Fabrikam456 Travel Agency Company offers its travel services through several business portals to provide air, hotel, and car rental services to its customers. Fabrikam456 needs to establish trust relationships with its partners through these portals.
Fabrikam456 would like to offer an integrated set of services to its customers whereby a requester could submit a single request for hotel, airline, and vehicle. Fabrikam456 would like also the flexibility to extend the services for its partners on the basis of a variety of criteria: gold service, preferred customers, and so on. The policy for one of its partners, RentalCars456, might include a security policy requirement for a RentalCars456 security token to establish the user's identity, as well as a business application requirement stating the cancellation policy for reservations . The policy for another partner, UnitedCars456, might include a requirement for UnitedCars456 preferred-customer numbers .
Because Fabrikam456 supports various business relationships, it needs to be able to determine which travel services to invoke for which customer. How can the WS-Security standards help in automating the trust relationships for Fabrikam456 to quickly and securely offer integrated travel services as part of the customer's trusted portal environment?
Alternatively, Fabrikam456 could act as a clearinghouse, redirect all requests from each user to any partner, and let the partner challenge the user for authentication and notify the customer of the policy. Although Fabrikam456 as a clearinghouse might earn advertising revenue, it needs to provide value as a travel service. In this second scenario, Fabrikam456 could offer a security-token service for its new business partners. For example, RentalCars456 may prefer to outsource the management of user information. In this case, RentalCars456 sees the advantage of not doing its own credit processing and may choose to take advantage of Fabrikam456's additional service by taking each authenticated request and calling the security-token service to retrieve credit approval from Fabrikam456.
Credit services might require additional security measures. WS-SecurityPolicy assertions give Fabrikam456 and RentalCars456 the ability to express additional security policies that the messages between Fabrikam456 and RentalCars456, which both adhere to the WS-Security specification, must provide. For example, RentalCars456 may require that all credit assertions be digitally signed and contain an expiration time.
|< Day Day Up >|
Enterprise Java Security. Building Secure J2EE Applications
Authors: Pistoia M., Nagaratnam N., Koved L.
Published year: 2004