A solution implemented at Simon Fraser University to use CAS proxy tickets to provide authorization to web services from thick client web applications.
3. • Jeremy Rosenberg
Developer in IT services since 2004
Identity management strategy
Java Developer
About Us
IT Services - Jeremy Rosenberg / Steve Hillman
4. • Jeremy Rosenberg
Developer in IT services since 2004
Identity management strategy
Java Developer
• Steve Hillman
IT Architect
With IT Services since 1987
Unix infrastructure
About Us
IT Services - Jeremy Rosenberg / Steve Hillman
6. • Named after famous explorer
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman
7. • Named after famous explorer
• Opened on September 9, 1965
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman
8. • Named after famous explorer
• Opened on September 9, 1965
• One University - Three campuses
• Burnaby
• Surrey
• Vancouver
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman
9. • Named after famous explorer
• Opened on September 9, 1965
• One University - Three campuses
• Burnaby
• Surrey
• Vancouver
• 32,000 students
• 900 faculty
• 1600 staff
• 100,000 alumni
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman
12. • Definitions
• XML Security Challenges
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
13. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
14. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
15. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
16. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
• Walkthroughs
• SOAP
• REST
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
17. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
• Walkthroughs
• SOAP
• REST
• Questions
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman
21. Web Service:
• An API to a remote procedure
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
22. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
23. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
24. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
25. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
• Makes systems reusable
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
26. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
• Makes systems reusable
• Very popular with Twitter, Facebook, Amazon, etc
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman
27. Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
29. •SOAP:
• XML Message passing protocol
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
30. •SOAP:
• XML Message passing protocol
• Numerous ‘WS-’ standards
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
31. •SOAP:
• XML Message passing protocol
• Numerous ‘WS-’ standards
• Associated with “Big” Web Services
• Most vendor SOA solutions use
SOAP
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
32. Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
34. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
35. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
36. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
37. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
• Stateless (every request is self-contained)
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
38. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
• Stateless (every request is self-contained)
• WS- standards are less mature
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman
39. !
•Web Services Security Challenges
“Put out an A.P.B. on a donut, believed sprinkled.”
IT Services - Jeremy Rosenberg / Steve Hillman
41. • Web Services can communicate over many transport protocols
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
42. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
43. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
• Easy for Web services to bypass traditional firewalls
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
44. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
• Easy for Web services to bypass traditional firewalls
XML
HTTP
XML
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
46. •
XML-based messages can be deliberately
or inadvertently malformed
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
47. •
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
48. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
49. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
50. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
51. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
52. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
• Oversized/overdeep XML nodes
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
53. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
• Oversized/overdeep XML nodes
• Code injection
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
55. •
Transactions are principally machine-to-machine
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
56. •
•
Transactions are principally machine-to-machine
New thinking around machine-to-machine credentialing
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
57. •
•
•
Transactions are principally machine-to-machine
New thinking around machine-to-machine credentialing
Login pages won’t work
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
59. • Services and clients must agree on security parameters
• crypto preferences
• standards support
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
60. • Services and clients must agree on security parameters
• crypto preferences
• standards support
• Need for new kinds of policy coordination
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
61. • Services and clients must agree on security parameters
• crypto preferences
• standards support
• Need for new kinds of policy coordination
• Incompatibilities have unforeseen consequences
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
63. • Web services enable multi-hop composite applications
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
64. • Web services enable multi-hop composite applications
• Example: Student on boarding process
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
65. • Web services enable multi-hop composite applications
• Example: Student on boarding process
• Message level security and audit that can span multihop SOA transactions end-to-end
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
67. Web services expose business functionality through open
APIs, requiring new application-aware security measures.
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman
71. XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman
72. • Parses all Inbound and outbound XML messages
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman
73. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman
74. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
• Replace “Username” value in inbound XML message
with value extracted from client certificate
• Prevent spoofing
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman
75. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
• Replace “Username” value in inbound XML message
with value extracted from client certificate
• Prevent spoofing
• Blank-out Student Number value in outbound XML
messages
• Prevent accidental leakage of confidential info
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman
78. • Thwart attacks
• Prevent malicious and inadvertent XML attacks
XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman
79. • Thwart attacks
• Prevent malicious and inadvertent XML attacks
• Prevent other not-so-obvious application-level
attacks - e.g. SQL injection.
• Are you sure every one of your developers
sanitizes their inputs?
XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman
81. • Single point-of-entry for Web Services means:
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
82. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
83. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
84. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
85. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
86. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
• Reusable rich set of authentication mechanisms
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
87. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
• Reusable rich set of authentication mechanisms
• Managed by the Infrastructure team on behalf of all
Web Services development groups
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman
88. Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
89. • Industry leader in this space
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
90. • Industry leader in this space
• Very responsive
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
91. • Industry leader in this space
• Very responsive
• Available as either hard or soft appliance
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
92. •
•
•
•
Industry leader in this space
Very responsive
Available as either hard or soft appliance
Extensible using Java. We have Java experts.
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
93. •
•
•
•
•
Industry leader in this space
Very responsive
Available as either hard or soft appliance
Extensible using Java. We have Java experts.
Supports every standard known to Man
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman
106. Definitely Not a Public Key Infrastructure (DNPKI)
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
107. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
108. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
109. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
110. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
• Ability to de-provision certificate access
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
111. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
• Ability to de-provision certificate access
• Leveraged existing IdM architecture
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman
165. • Security is an enabler
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman
166. • Security is an enabler
• Stick to standards where possible
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman
167. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman
168. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
• Start small
• Control the service and consumer
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman
169. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
• Start small
• Control the service and consumer
• Security can be fun!
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman