WS Security
WS Security
Anders Smestad
The Web Services
A service
WSDL
SOAP
UDDI
<Transport>
Client/Consumer
Why Web Services?
• loosley-coupled
• language-neutral
• platform-independent
• Really:
– PR
– It is so easy! (Want a demo?)
– It can run on port 80
But it isn’t secure…
• Transport Layer Security (TLS) can
provide point-to-point security, but not
end-to-end, problem with proxies
• Want:
– Message integrity
– Message confidentiality
The WS-Security solution
~ two years after Web Services was introduced,
IBM, Microsoft and VeriSign addressed the
security issue. In April 2002 they released the
proposed specification for WS-Security
From SOAP-Security, WS-Security, WS-License
April 2004: The standard was released as WS-
Security 1.0 by Oasis-Open
February 2006: Oasis-Open released “Web
Services Security: SOAP Message Security 1.1
(WS-Security 2004)” or WS-Security Core Specification 1.1
WS-Security 1.1
From the spec:
• Enhancements to SOAP to provide integrity and
confidentiality
“Web Services Security: SOAP Message Security” or “WSS: SOAP
Message Security”
• Accommodates a wide variety of security models
and encryption technologies
• Provides a mechanism for associating security
tokens with message content
• Of course extensible: Supports multiple security
token formats, can define different formats for
different parts of the message
Disclaimer
• Provides flexible set of mechanisms to
construct a range of security protocols
• Does not describe explicit fixed security
protocols
SOAP Body
Signature
SOAP Body
Security Header Block
• No blocks with same S11:actor or S12:role
• Only one may omit actor/role attribute
<S11:Envelope>
For extensibility, <S11:Header>
...
should be based <wsse:Security S11:actor="..." S11:mustUnderstand="...">
on schema: ...
</wsse:Security>
/wsse:Security/{any}
<wsse:Security S12:role="..." S12:mustUnderstand="...">
/wsse:Security/@{any} …
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
(see WSS 1.1 Spec pg 21 for description)
SOAP Example
<?xml version="1.0" encoding="utf-8"?>
<S11:Envelope xmlns:S11="...">
<S11:Header>
</S11:Header>
<S11:Body wsu:Id="MsgBody">
<tru:StockSymbol
xmlns:tru="http://fabrikam123.com/payloads">
QQQ
</tru:StockSymbol>
</S11:Body>
</S11:Envelope>
WSS’ed SOAP Example
<?xml version="1.0" encoding="utf-8"?>
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...“ xmlns:ds="...">
<S11:Header>
<wsse:Security xmlns:wsse="...">
<wsse:BinarySecurityToken ValueType=" http://fabrikam123#CustomToken " EncodingType="...#Base64Binary"
wsu:Id=" MyID ">
FHUIORv...
</wsse:BinarySecurityToken>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#MsgBody">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#MyID"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S11:Header>
<S11:Body wsu:Id="MsgBody">
<tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads">
QQQ
</tru:StockSymbol>
</S11:Body>
</S11:Envelope> (see WSS 1.1 Spec pg 15 for description)
Enables the scenario
SOAP
” el udo m- SS“W
Secure
SOAPSOAP
…and this:
” el udo m- SS“W
SOAP
eci vr e S be W
You don’t need to code XML
public Message signSOAPEnvelope(SOAPEnvelope unsignedEnvelope)
throws Exception
{
// WSSignEnvelope signs a SOAP envelope according to theWS Specification (X509 profile) and adds the
signature
// data to the envelope.
WSSignEnvelope signer = new WSSignEnvelope();
signer.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "foobar");
// The "build" method, creates the signed SOAP envelope. It takes a SOAP Envelope as a W3C Document and
// adds a WSS Signature header to it. The signed elements depend on the signature parts that are specified by
// the WSBaseMessage.setParts(java.util.Vector parts) method. By default, SOAP Body is signed.
// The "crypto" parameter is the object that implements access to the keystore and handling of certificates.
// A default implementation is included: org.apache.ws.security.components.crypto.Merlin
Document signedDoc = signer.build(doc, crypto);
return signedSOAPMsg;
}
Transforms this:
<SOAP-ENV:Envelope xmlns:SOAP-
ENV="http://www.w3.org/2003/05/soap-envelope"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<sayHello xmlns="http://jeffhanson.com/services/helloworld">
<value xmlns="">
Hello world!
</value>
</sayHello>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Into this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/...-wss-wssecurity-secext-1.0.xsd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-1281123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>wLumPkKZ+X48rjao/XUUQDp0xk0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>a56OxPcKr8LJnIFgRyMQej5/ZkUjkV9V9rmn+queMKzJ3GYpMiXpjQ==</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-30752603">
<wsse:SecurityTokenReference wsu:Id="STRId-2545159" xmlns:wsu="http://docs...-200401-wss-wssecurity-utility-1.0.xsd">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=pubcert</ds:X509IssuerName>
<ds:X509SerialNumber>1140726843</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="id-1281123" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sayHello xmlns="http://jeffhanson.com/services/helloworld">
<value xmlns="">Hello world!</value>
</sayHello>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
ID References
• WSS defines the wsu:Id attribute, type xsd:ID
<anyElement wsu:Id=“…”>…</anyElement>
• Used to locate elements in the message e.g.
correlating signatures to sec. tokens
• XML Schema defines several id and referencing
data types, but they require consumer to have or
obtain schema definition.
• For intermediaries this can be “heavy” and not
desirable
• May also use <wsse:SecurityTokenReference> for
referencing security tokens
Security Tokens – User Name
• Introduced as a way to provide username
• Optional
<S11:Envelope xmlns:S11="..."
xmlns:wsse="...">
<S11:Header>
For extensibility,
...
should be based <wsse:Security>
on schema: <wsse:UsernameToken>
/wsse:UsernameToken/@wsu:Id
/wsse:UsernameToken/ <wsse:Username>Zoe</wsse:Username>
</wsse:UsernameToken>
wsse:Username
</wsse:Security>
/wsse:UsernameToken/{any} ...
/wsse:UsernameToken/@{any} </S11:Header>
...
</S11:Envelope> (see WSS 1.1 Spec pg 21 for
description)
Security Tokens – BinarySecurityToken
<wsse:BinarySecurityToken wsu:Id=...
<wsse:BinarySecurityToken wsu:Id=...
EncodingType=...
EncodingType=... ValueType=.../>
ValueType=.../>
<wsse:SecurityTokenReference>
<wsse:Reference URI=“http://www.fabrikam123.com/tokens/Zoe”/>
</wsse:SecurityTokenReference>
Token References – Key Identifiers
<wsse:KeyIdentifier>
• The recommended way of referencing a non-direct
referenced security token
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier wsu:Id=“…” ValueType=“…” EncodingType=“…”/>
</wsse:SecurityTokenReference>
ValueType: ThumbPrintSHA1, EncryptedKeySHA1
EncodingType: #Base64Binary
Token References – Embedded References
<wsse:Embedded>
• an embedded token
• Must be contained in SecurityTokenReference
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id=“tok1”>
<saml:Assertion xmlns:saml=“…”>
…
</saml:Assertion>
</wsse:Embedded>
</wsse:SecurityTokenReference>
Token References – KeyInfo and
<ds:KeyInfo>
KeyNames
Can be used for carrying key info
•
<wsse:BinarySecurityToken> is the recommended mechanism
•
<ds:KeyName>
• Can be used named keys
• <wsse:KeyIdentifier> is the recommended mechanism
• Should conform to <ds:X509SubjectName>
References/More info
• http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessag
• http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTo
• http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenPr
• http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenP
• http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosToke
• http://www.oasis-open.org/committees/download.php/16687/oasis-wss-rel-token-profile-1.1.p
• http://www.oasis-open.org/committees/download.php/16672/wss-v1.1-spec-os-SwAProfile.pd
• http://www-128.ibm.com/developerworks/library/specification/ws-secmap/
• http://www-106.ibm.com/developerworks/webservices/library/ws-secure/
• http://www.pentrix.com/videos/videolist.php
• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-security-
• http://www.codeproject.com/webservices/WS-Security.asp
• http://www.devx.com/Java/Article/28816/1954?pf=true