SlideShare una empresa de Scribd logo

WS-Security Token References

Descargar como PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

WS - Security

EducaciónTecnologíaNoticias y política
1 de 58
WS - Security Prabath Siriwardena Director, Security Architecture
WS-Security • WS-Security – Authentication – Integrity and non-repudiation – Confidentiality • Initial effort of MSFT, IBM, Verisign, etc. • Standardized at : Organization for the Advancement of Structured Information Standards (OASIS)
WS-Security • Based on XML Encryption and XML Signature • Basic framework for message level security  Encryption  Signature  Security Tokens
Security Tokens • Security Tokens are pieces of information used for authentication and authorization. - UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
WS-Security • Provisions for “profiles” to support different crypto technologies  SAML Tokens  X. 509 Tokens  UsernameToken
Message Level Security • Authentication – UsernameToken – Use plain text password with a secure transport • Integrity and Non-repudiation – A detached XML-Signature used and one or more parts are signed • Confidentiality – Encrypt the SOAP Body or any other part of the message
WS-Security • For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted. • XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
<BinarySecurityToken /> • Can hold binary tokens – e.g. X509 tokens, Kerberos tokens. • Because these are binary tokens – should specify the EncodingType to represent them in XML. • ValueType indicates what the security token is. <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
QUESTION 1 Discuss the applicability of following child elements under <KeyInfo> with respect to the Example -1. <KeyName /> <KeyValue /><RetrievalMethod /> <X509Data />
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:EncryptedKey> <ds:KeyInfo> <wsse:SecurityTokenReference> <ds:X509IssuerSerial> <ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber> </ds:X509SerialNumber> </ds:X509IssuerSerial> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
Token References • Defines mechanisms for referencing security tokens. • Introduces the <SecurityTokenReferenece> as a standard way to refer to a security token regardless of their format.  Direct References  Key Identifiers  Key Names  Embedded References
Direct References • This allows references to include tokens using URI fragments and external tokens using full URIs
Direct Reference Example <S11:Envelope > <S11:Header> <wsse:Security> <wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody"> <ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
Key Identifiers • This allows tokens to be referenced using an opaque value that represents the token. • A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
Key Identifiers <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" > MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference>
Key Identifiers • Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
Key Names • This allows tokens to be referenced using a string that matches an identity assertion within the security token. • In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
Key Names Example <!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --> <wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName> </wsse:SecurityTokenReference> KeyName references are prohibited by the WS-Security Basic Profile.
Embedded • This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere). • Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
Embedded Token Example <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference>
1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which message-security-1.0#Base64Binary"> specifies a wsu:id lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded <wsse:SecurityTokenReference> element --> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
2 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
3 Reading SOAP is fun  <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference> </wsse:Security>
4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' <!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> SomeCert appears after it is </wsse:SecurityTokenReference> referenced from within the xenc:EncryptedKey element --> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
5 Reading SOAP is fun  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers 1.0#Base64Binary"> to the lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR --> </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> <!-- This example is </wsu:Timestamp> incorrect because Security header MUST NOT contain more than one TIMESTAMP--> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
8 Reading SOAP is fun  <soap: Header> <wsse:Security > </wsse:Security> <wsse:Security > </wsse:Security> </soap: Header>
8 Reading SOAP is fun  <soap: Header> <wsse:Security > <!– This</wsse:Security> Header MUST not have more than one Security header where the is incorrect. SOAP actor/role attribute omitted--> <wsse:Security > </wsse:Security> </soap: Header>
9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > </wsse:Security> <wsse:Security actor=“foo” > </wsse:Security> </soap: Header>
9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > <!– This is</wsse:Security> incorrect. SOAP Header MUST not have more than one Security header with the same actor/role <wsse:Security actor=“foo” > attribute omitted--> </wsse:Security> </soap: Header>
10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature>
10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> <!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped </ds:SignedInfo> allowed.--> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature> Signatures are not
11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> A signature reference to an element that does not have an ID attribute MUST contain a </ds:Transform> TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2" <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
12 Reading SOAP is fun  <wsse:Security > <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
13 Reading SOAP is fun  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only child element.
14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> A Signature MUST NOT contain a ds:Manifest descendant element. </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>
15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in This is incorrect. <xenc:EncryptedKey> header referenced by the associated ReferenceList. <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> the same Security
16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <!-- This example is incorrect because the xenc:EncryptedKey element is missing an <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> xenc:ReferenceList child element --> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
<wsse11:SignatureConfirmation /> Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In this mechanism, the web service adds a <SignatureConfirmation> element to the security header element, and the web client can check that <SignatureConfirmation> element <wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
<wsse11:EncryptedHeader /> WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP header block including the top-level element and its attributes be encrypted, the original header block is replaced with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child <EncryptedData /> element that is the result of encrypting the header block.
STR-Transform <wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1"> <ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
STR-Transform This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element itself.
lean . enterprise . middleware

Recomendados

Quality management
Quality managementQuality management
Quality managementMunibaNoureen
 
Reactive Architecture
Reactive ArchitectureReactive Architecture
Reactive ArchitectureKnoldus Inc.
 
Virtualization in cloud computing
Virtualization in cloud computingVirtualization in cloud computing
Virtualization in cloud computingMohammad Ilyas Malik
 
Cloud computing notes
Cloud computing notesCloud computing notes
Cloud computing notesSrinivasa Rao
 
WORKFLOW OF THE PROCESS IN SPM
WORKFLOW OF THE PROCESS IN SPM WORKFLOW OF THE PROCESS IN SPM
WORKFLOW OF THE PROCESS IN SPMgarishma bhatia
 
cloud computing:Types of virtualization
cloud computing:Types of virtualizationcloud computing:Types of virtualization
cloud computing:Types of virtualizationDr.Neeraj Kumar Pandey
 
Google App Engine ppt
Google App Engine pptGoogle App Engine ppt
Google App Engine pptOECLIB Odisha Electronics Control Library
 
RPC: Remote procedure call
RPC: Remote procedure callRPC: Remote procedure call
RPC: Remote procedure callSunita Sahu
 

Recomendados

Quality management
Quality managementQuality management
Quality managementMunibaNoureen
 
Reactive Architecture
Reactive ArchitectureReactive Architecture
Reactive ArchitectureKnoldus Inc.
 
Virtualization in cloud computing
Virtualization in cloud computingVirtualization in cloud computing
Virtualization in cloud computingMohammad Ilyas Malik
 
Cloud computing notes
Cloud computing notesCloud computing notes
Cloud computing notesSrinivasa Rao
 
WORKFLOW OF THE PROCESS IN SPM
WORKFLOW OF THE PROCESS IN SPM WORKFLOW OF THE PROCESS IN SPM
WORKFLOW OF THE PROCESS IN SPMgarishma bhatia
 
cloud computing:Types of virtualization
cloud computing:Types of virtualizationcloud computing:Types of virtualization
cloud computing:Types of virtualizationDr.Neeraj Kumar Pandey
 
Google App Engine ppt
Google App Engine pptGoogle App Engine ppt
Google App Engine pptOECLIB Odisha Electronics Control Library
 
RPC: Remote procedure call
RPC: Remote procedure callRPC: Remote procedure call
RPC: Remote procedure callSunita Sahu
 
Android architecture
Android architectureAndroid architecture
Android architecturepoojapainter
 
Distributed Server
Distributed ServerDistributed Server
Distributed ServerRajan Kumar
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Web Vulnerability Scanner project Report
Web Vulnerability Scanner project ReportWeb Vulnerability Scanner project Report
Web Vulnerability Scanner project ReportVikas Kumar
 
Service oriented architecture characteristics of soa
Service oriented architecture characteristics of soaService oriented architecture characteristics of soa
Service oriented architecture characteristics of soasmithaps4
 
Improving software economics
Improving software economicsImproving software economics
Improving software economicsdeep sharma
 
Coda file system
Coda file systemCoda file system
Coda file systemSneh Pahilwani
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Basics of Cloud Computing
Basics of Cloud ComputingBasics of Cloud Computing
Basics of Cloud ComputingPranav Vashistha
 
Mobile cloud computing
Mobile cloud computingMobile cloud computing
Mobile cloud computingFatih Özlü
 
Bootstrap 3
Bootstrap 3Bootstrap 3
Bootstrap 3Lanh Le
 
Model Based Software Architectures
Model Based Software ArchitecturesModel Based Software Architectures
Model Based Software ArchitecturesMunazza-Mah-Jabeen
 
Peer to peer system
Peer to peer systemPeer to peer system
Peer to peer systemJahanzaib Niazi
 
Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)WSO2
 
Web Technology End semester Examination Questions
Web Technology End semester Examination QuestionsWeb Technology End semester Examination Questions
Web Technology End semester Examination QuestionsAnsuman Mahapatra
 
2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdf2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdfbcanawakadalcollege
 
Client Server Architecture ppt
Client Server Architecture pptClient Server Architecture ppt
Client Server Architecture pptOECLIB Odisha Electronics Control Library
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 
Architectural styles and patterns
Architectural styles and patternsArchitectural styles and patterns
Architectural styles and patternsHimanshu
 
Vision of cloud computing
Vision of cloud computingVision of cloud computing
Vision of cloud computinggaurav jain
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 

Más contenido relacionado

La actualidad más candente

Android architecture
Android architectureAndroid architecture
Android architecturepoojapainter
 
Distributed Server
Distributed ServerDistributed Server
Distributed ServerRajan Kumar
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Web Vulnerability Scanner project Report
Web Vulnerability Scanner project ReportWeb Vulnerability Scanner project Report
Web Vulnerability Scanner project ReportVikas Kumar
 
Service oriented architecture characteristics of soa
Service oriented architecture characteristics of soaService oriented architecture characteristics of soa
Service oriented architecture characteristics of soasmithaps4
 
Improving software economics
Improving software economicsImproving software economics
Improving software economicsdeep sharma
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Mobile cloud computing
Mobile cloud computingMobile cloud computing
Mobile cloud computingFatih Özlü
 
Bootstrap 3
Bootstrap 3Bootstrap 3
Bootstrap 3Lanh Le
 
Model Based Software Architectures
Model Based Software ArchitecturesModel Based Software Architectures
Model Based Software ArchitecturesMunazza-Mah-Jabeen
 
Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)WSO2
 
Web Technology End semester Examination Questions
Web Technology End semester Examination QuestionsWeb Technology End semester Examination Questions
Web Technology End semester Examination QuestionsAnsuman Mahapatra
 
2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdf2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdfbcanawakadalcollege
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 
Architectural styles and patterns
Architectural styles and patternsArchitectural styles and patterns
Architectural styles and patternsHimanshu
 
Vision of cloud computing
Vision of cloud computingVision of cloud computing
Vision of cloud computinggaurav jain
 

La actualidad más candente (20)

Android architecture
Android architectureAndroid architecture
Android architecture
 
Distributed Server
Distributed ServerDistributed Server
Distributed Server
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Web Vulnerability Scanner project Report
Web Vulnerability Scanner project ReportWeb Vulnerability Scanner project Report
Web Vulnerability Scanner project Report
 
Service oriented architecture characteristics of soa
Service oriented architecture characteristics of soaService oriented architecture characteristics of soa
Service oriented architecture characteristics of soa
 
Improving software economics
Improving software economicsImproving software economics
Improving software economics
 
Coda file system
Coda file systemCoda file system
Coda file system
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Basics of Cloud Computing
Basics of Cloud ComputingBasics of Cloud Computing
Basics of Cloud Computing
 
Mobile cloud computing
Mobile cloud computingMobile cloud computing
Mobile cloud computing
 
Bootstrap 3
Bootstrap 3Bootstrap 3
Bootstrap 3
 
Model Based Software Architectures
Model Based Software ArchitecturesModel Based Software Architectures
Model Based Software Architectures
 
Peer to peer system
Peer to peer systemPeer to peer system
Peer to peer system
 
Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)
 
Web Technology End semester Examination Questions
Web Technology End semester Examination QuestionsWeb Technology End semester Examination Questions
Web Technology End semester Examination Questions
 
2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdf2- THE CHANGING NATURE OF SOFTWARE.pdf
2- THE CHANGING NATURE OF SOFTWARE.pdf
 
Client Server Architecture ppt
Client Server Architecture pptClient Server Architecture ppt
Client Server Architecture ppt
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
 
Architectural styles and patterns
Architectural styles and patternsArchitectural styles and patterns
Architectural styles and patterns
 
Vision of cloud computing
Vision of cloud computingVision of cloud computing
Vision of cloud computing
 

Destacado

Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overviewRaveendra Bhat
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Martin Necasky
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTPradeep Kumar
 

Destacado (19)

Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicy
 
XML Signature
XML SignatureXML Signature
XML Signature
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Web Services Security - Presentation
Web Services Security - PresentationWeb Services Security - Presentation
Web Services Security - Presentation
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Web Services - A brief overview
Web Services - A brief overviewWeb Services - A brief overview
Web Services - A brief overview
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)Web Services - Architecture and SOAP (part 1)
Web Services - Architecture and SOAP (part 1)
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
 
Web Services
Web ServicesWeb Services
Web Services
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web service introduction
Web service introductionWeb service introduction
Web service introduction
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Webservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and RESTWebservices Overview : XML RPC, SOAP and REST
Webservices Overview : XML RPC, SOAP and REST
 

Similar a WS-Security Token References

Secured SOA
Secured SOASecured SOA
Secured SOAWSO2
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA SecurityWSO2
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and OperationsNisheed KM
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based EncryptionDavid Dye
 

Similar a WS-Security Token References (20)

Secured SOA
Secured SOASecured SOA
Secured SOA
 
WSO2 SOA Security
WSO2 SOA SecurityWSO2 SOA Security
WSO2 SOA Security
 
Secured SOA
Secured SOASecured SOA
Secured SOA
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Ws security with mule
Ws security with muleWs security with mule
Ws security with mule
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based Encryption
 

Más de Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

Más de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 

Último

IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Último (20)

IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

WS-Security Token References

  • 1. WS - Security Prabath Siriwardena Director, Security Architecture
  • 2. WS-Security • WS-Security – Authentication – Integrity and non-repudiation – Confidentiality • Initial effort of MSFT, IBM, Verisign, etc. • Standardized at : Organization for the Advancement of Structured Information Standards (OASIS)
  • 3. WS-Security • Based on XML Encryption and XML Signature • Basic framework for message level security  Encryption  Signature  Security Tokens
  • 4. Security Tokens • Security Tokens are pieces of information used for authentication and authorization. - UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
  • 5. WS-Security • Provisions for “profiles” to support different crypto technologies  SAML Tokens  X. 509 Tokens  UsernameToken
  • 6. Message Level Security • Authentication – UsernameToken – Use plain text password with a secure transport • Integrity and Non-repudiation – A detached XML-Signature used and one or more parts are signed • Confidentiality – Encrypt the SOAP Body or any other part of the message
  • 7. WS-Security • For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted. • XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
  • 8. WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 9. <BinarySecurityToken /> • Can hold binary tokens – e.g. X509 tokens, Kerberos tokens. • Because these are binary tokens – should specify the EncodingType to represent them in XML. • ValueType indicates what the security token is. <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
  • 10. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 11. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 12. WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 13. QUESTION 1 Discuss the applicability of following child elements under <KeyInfo> with respect to the Example -1. <KeyName /> <KeyValue /><RetrievalMethod /> <X509Data />
  • 14. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 15. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 16. WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:EncryptedKey> <ds:KeyInfo> <wsse:SecurityTokenReference> <ds:X509IssuerSerial> <ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber> </ds:X509SerialNumber> </ds:X509IssuerSerial> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
  • 17. Token References • Defines mechanisms for referencing security tokens. • Introduces the <SecurityTokenReferenece> as a standard way to refer to a security token regardless of their format.  Direct References  Key Identifiers  Key Names  Embedded References
  • 18. Direct References • This allows references to include tokens using URI fragments and external tokens using full URIs
  • 19. Direct Reference Example <S11:Envelope > <S11:Header> <wsse:Security> <wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody"> <ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
  • 20. Key Identifiers • This allows tokens to be referenced using an opaque value that represents the token. • A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
  • 22. Key Identifiers • Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
  • 23. Key Names • This allows tokens to be referenced using a string that matches an identity assertion within the security token. • In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
  • 24. Key Names Example <!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --> <wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName> </wsse:SecurityTokenReference> KeyName references are prohibited by the WS-Security Basic Profile.
  • 25. Embedded • This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere). • Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
  • 26. Embedded Token Example <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference>
  • 27. 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
  • 28. 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which message-security-1.0#Base64Binary"> specifies a wsu:id lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded <wsse:SecurityTokenReference> element --> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
  • 29. 2 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
  • 30. 3 Reading SOAP is fun  <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference> </wsse:Security>
  • 31. 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
  • 32. 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' <!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> SomeCert appears after it is </wsse:SecurityTokenReference> referenced from within the xenc:EncryptedKey element --> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
  • 33. 5 Reading SOAP is fun  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
  • 34. 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
  • 35. 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers 1.0#Base64Binary"> to the lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR --> </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
  • 36. 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
  • 37. 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> <!-- This example is </wsu:Timestamp> incorrect because Security header MUST NOT contain more than one TIMESTAMP--> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
  • 38. 8 Reading SOAP is fun  <soap: Header> <wsse:Security > </wsse:Security> <wsse:Security > </wsse:Security> </soap: Header>
  • 39. 8 Reading SOAP is fun  <soap: Header> <wsse:Security > <!– This</wsse:Security> Header MUST not have more than one Security header where the is incorrect. SOAP actor/role attribute omitted--> <wsse:Security > </wsse:Security> </soap: Header>
  • 40. 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > </wsse:Security> <wsse:Security actor=“foo” > </wsse:Security> </soap: Header>
  • 41. 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > <!– This is</wsse:Security> incorrect. SOAP Header MUST not have more than one Security header with the same actor/role <wsse:Security actor=“foo” > attribute omitted--> </wsse:Security> </soap: Header>
  • 42. 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature>
  • 43. 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> <!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped </ds:SignedInfo> allowed.--> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature> Signatures are not
  • 44. 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 45. 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> A signature reference to an element that does not have an ID attribute MUST contain a </ds:Transform> TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2" <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 46. 12 Reading SOAP is fun  <wsse:Security > <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
  • 47. 13 Reading SOAP is fun  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only child element.
  • 48. 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
  • 49. 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> A Signature MUST NOT contain a ds:Manifest descendant element. </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
  • 50. 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>
  • 51. 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in This is incorrect. <xenc:EncryptedKey> header referenced by the associated ReferenceList. <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> the same Security
  • 52. 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
  • 53. 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <!-- This example is incorrect because the xenc:EncryptedKey element is missing an <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> xenc:ReferenceList child element --> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
  • 54. <wsse11:SignatureConfirmation /> Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In this mechanism, the web service adds a <SignatureConfirmation> element to the security header element, and the web client can check that <SignatureConfirmation> element <wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
  • 55. <wsse11:EncryptedHeader /> WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP header block including the top-level element and its attributes be encrypted, the original header block is replaced with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child <EncryptedData /> element that is the result of encrypting the header block.
  • 56. STR-Transform <wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1"> <ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
  • 57. STR-Transform This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element itself.
  • 58. lean . enterprise . middleware