Identity patterns and anit-patterns in real world web services

•

3 gefällt mir•1,786 views

The document discusses various identity and security patterns for web services, including direct authentication, brokered authentication, data origin authentication, trusted subsystem, and message interceptor gateway patterns. It describes problems that each pattern addresses, such as unauthenticated access, delegating authentication to external users, message manipulation, controlling downstream access, and centralized security enforcement. Implementation examples including WS-Security, WS-Trust, and open standards are also provided.

Technologie

Identity patterns & anti-patterns
in real world web services

~ By Prabath Siriwardena, WSO2

Transport Level Security
Vs
Message Level Security

<wsse:UsernameToken wsu:Id="Example-1">
<wsse:Username> ... </wsse:Username>
<wsse:Password Type="..."> ... </wsse:Password>
<wsse:Nonce EncodingType="..."> ... </wsse:Nonce>
<wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>

Direct Authentication Pattern

Problem :

How to avoid anonymous users accessing a web
service

Direct Authentication Pattern

Solution :

The web service acts as an authentication
service to validate credentials from the
client.

Direct Authentication Pattern

Implementation(s) :

UsernameToken with WSSE
BasicAuth with TLS

Exception Shielding Pattern

Problem :

Exception data output by a service
containing implementation details could
compromise the security of the service

Exception Shielding Pattern

Solution :

Potentially unsafe exception data is
"sanitized" by replacing it with exception
data that is safe by design before it is
made available to consumers

Direct Authentication
needs us to maintain user
credentials internally

We don’t have the
credential of external
users

Direct Authentication
doesn’t solve our problem

Can’t we delegate
Authentication to the
External Domain itself

Brokered Authentication Pattern

Problem :

How to avoid anonymous users accessing a web
service and give access to users outside our
domain, where we don’t have the users’
credentials to validate

Brokered Authentication Pattern

Solution :

Delegate authentication to a third party who
knows to validate user credentials and the
service trusts the assertions provided by
that particular third party

Brokered Authentication Pattern

Implementation(s) :

WS-Trust
OpenID, Information Cards, OAuth

How do we know the legitimacy
of the third party
Security Token Service ?

Data Origin Authentication Pattern

Problem :

How do we prevent an attacker from
manipulating messages in transit between a
client and a web service.

Data Origin Authentication Pattern

Solution :

Validate message integrity and non-
repudiation with message signature

Our services access downstream
resources with the
authenticated user’s credentials

This could bring security risks –
and make down stream resources
vulnerable to attacks

How about controlling user
access to the down stream resources

Service acts as the client –
with service’s credentials

Trusted Sub System Pattern

Problem :

A consumer that accesses backend resources
of a service directly can compromise the
integrity of the resources and can further
lead to undesirable form of implementation
coupling.

Trusted Sub System Pattern

Solution :

The service is designed to use it’s own
credentials for authentication and
authorization with backend resources on
behalf of the consumers

Message Interceptor Gateway Pattern

Problem :

Different services deployed could have
different security policies and a security
vulnerability of the weakest service could
be exploited to create loop holes in entire
system.

Message Interceptor Gateway Pattern

Solution :

Provides a single entry point and allows
centralization of security enforcement for
incoming and outgoing messages.

http://blog.facileLogin.com
http://RampartFAQ.com
prabath@apache.org
prabath@wso2.com

Weitere ähnliche Inhalte

Ähnlich wie Identity patterns and anit-patterns in real world web services

Web services security_in_wse_3_ppt

Harshavardhan Achrekar

Authentication Models

Raj Chanchal

Password cracking doesn't have to involve fancy tools, but it's a fairly tedious process. If the target doesn't lock you out after a specific number of tries, you can spend an infinite amount of time trying every combination of alphanumeric characters. It's just a question of time and bandwidth before you break into a system. The most common passwords found are password, root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username].

Module 13 (web based password cracking techniques)

Wail Hassan

E-Business security

Surendhranatha Reddy

Security analysis of a single sign on mechanism for distributed computer netw...

JPINFOTECH JAYAPRAKASH

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...

petarvucetin

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...

petarvucetin2

Security analysis of a single sign on mechanism for distributed computer netw...

IEEEFINALYEARPROJECTS

JAVA 2013 IEEE NETWORKSECURITY PROJECT Security analysis of a single sign on ...

IEEEGLOBALSOFTTECHNOLOGIES

AbedElilahElmahmoumP1.pptx

AbedElElahElMHMOOM

What is Advanced Web Servicels.pdf

AngelicaPantaleon3

Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. Finding the right identity solution can often be challenging. In this session, we will look at how Cognito can support a wide range of authentication scenarios including customers, employees and systems to help you make the right choices. Speaker: Stephen Liedig. Solutions Architect. Amazon Web Services Level: 300

Managing Identity and Securing Your Mobile and Web Applications with Amazon C...

Amazon Web Services

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Nilanjan Roy

Presentation

Laxman Kumar

encryption ppt

Shiva Shiva

In today’s ever-changing digital world, protecting your online presence against vulnerabilities such as failed authentication is critical. IT company provides professional Vulnerability Assessment services that detect and handle such security threats, strengthening the defenses of your website. Our team of professionals navigates through complex authentication vulnerabilities with accuracy and knowledge, giving personalized solutions that protect your digital assets. Our Vulnerability Assessment provides full security against unauthorized access, data breaches, and possible hacking threats, from resolving defective authentication procedures to deploying effective multi-factor authentication. Partnering with us means committing your online security to experts who are dedicated to reinforcing your digital firewall. Secure the strength of your website and protect important information by utilizing our cutting-edge Vulnerability Assessment services now!

How to Find and Fix Broken Authentication Vulnerability

AshKhan85

Web Application Security Tips

tcellsn

Mutual Authentication For Wireless Communication

manish kumar

Vinod Rebello

prensacespi

6.designing secure and efficient biometric based secure access mechanism for ...

Venkat Projects

Ähnlich wie Identity patterns and anit-patterns in real world web services (20)

Web services security_in_wse_3_ppt

Authentication Models

Module 13 (web based password cracking techniques)

E-Business security

Security analysis of a single sign on mechanism for distributed computer netw...

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...

Security analysis of a single sign on mechanism for distributed computer netw...

JAVA 2013 IEEE NETWORKSECURITY PROJECT Security analysis of a single sign on ...

AbedElilahElmahmoumP1.pptx

What is Advanced Web Servicels.pdf

Managing Identity and Securing Your Mobile and Web Applications with Amazon C...

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Presentation

encryption ppt

How to Find and Fix Broken Authentication Vulnerability

Web Application Security Tips

Mutual Authentication For Wireless Communication

Vinod Rebello

6.designing secure and efficient biometric based secure access mechanism for ...

Mehr von Prabath Siriwardena

Microservices Security Landscape

Prabath Siriwardena

Cloud Native Identity with SPIFFE

Prabath Siriwardena

API Security Best Practices & Guidelines

Prabath Siriwardena

Identity is Eating the World!

Prabath Siriwardena

Microservices Security Landscape

Prabath Siriwardena

OAuth 2.0 Threat Landscape

Prabath Siriwardena

GDPR for Identity Architects

Prabath Siriwardena

Blockchain-based Solutions for Identity & Access Management

Prabath Siriwardena

OAuth 2.0 Threat Landscapes

Prabath Siriwardena

OAuth 2.0 for Web and Native (Mobile) App Developers

Prabath Siriwardena

Identity Management for Web Application Developers

Prabath Siriwardena

API Security Best Practices & Guidelines

Prabath Siriwardena

Open Standards in Identity Management

Prabath Siriwardena

Securing Single-Page Applications with OAuth 2.0

Prabath Siriwardena

API Security : Patterns and Practices

Prabath Siriwardena

Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.

Best Practices in Building an API Security Ecosystem

Prabath Siriwardena

Connected Identity : The Role of the Identity Bus

Prabath Siriwardena

Connected business is a very dynamic and complex environment. Your desire is to reach out to your customers, partners, distributors and suppliers and create more and more business interactions and activities, that will generate more revenue. The goal here is not just integrate technological silos, in your enterprise – but also make your business more accessible and reactive. The ability to propagate identities across borders in a protocol-agnostic manner is a core ingredient in producing a connected business environment. SAML, OpenID, OpenID Connect, WS-Federation all support identity federation – cross domain authentication. But, can we always expect all the parties in a connected environment to support SAML, OpenID or OpenID Connect ? Most of the federation systems we see today are in silos. It can be a silo of SAML federation, a silo of OpenID Connect federation or a silo of OpenID federation. Even in a given federation silo how do you scale with increasing number of service providers and identity providers? Each service provider has to trust each identity provider and this leads into the Spaghetti Identity anti-pattern. Federation Silos and Spaghetti Identity are two anti-patterns that needs to be addressed in a connected environment. This talk will present benefits, risks and challenges in a connected identity environment

Connected Identity : Benefits, Risks & Challenges

Prabath Siriwardena

The Evolution of Internet Identity

Prabath Siriwardena

Next-Gen Apps with IoT and Cloud

Prabath Siriwardena

Mehr von Prabath Siriwardena (20)

Microservices Security Landscape

Cloud Native Identity with SPIFFE

API Security Best Practices & Guidelines

Identity is Eating the World!

Microservices Security Landscape

OAuth 2.0 Threat Landscape

GDPR for Identity Architects

Blockchain-based Solutions for Identity & Access Management

OAuth 2.0 Threat Landscapes

OAuth 2.0 for Web and Native (Mobile) App Developers

Identity Management for Web Application Developers

API Security Best Practices & Guidelines

Open Standards in Identity Management

Securing Single-Page Applications with OAuth 2.0

API Security : Patterns and Practices

Best Practices in Building an API Security Ecosystem

Connected Identity : The Role of the Identity Bus

Connected Identity : Benefits, Risks & Challenges

The Evolution of Internet Identity

Next-Gen Apps with IoT and Cloud

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Manulife - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Artificial Intelligence: Facts and Myths

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Automating Google Workspace (GWS) & more with Apps Script

Artificial Intelligence Chap.5 : Uncertainty

Partners Life - Insurer Innovation Award 2024

Exploring the Future Potential of AI-Enabled Smartphone Processors

Manulife - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Apidays New York 2024 - The value of a flexible API Management solution for O...

A Year of the Servo Reboot: Where Are We Now?

HTML Injection Attacks: Impact and Mitigation Strategies

AWS Community Day CPH - Three problems of Terraform

Identity patterns and anit-patterns in real world web services

1. Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2

10.

11.

12.

13. Proof of identity

14. Something you know…

15. Something you have…

16. Something you are…

17. Multifactor Authentication

18.

19.

20. Anyone can access my Service 

21.

22.

23. WSDL WSDL WSDL

24. WSDL WSDL WSDL

25. Transport Level Security Vs Message Level Security

26. Transport Level Security

27. Message Level Security

28. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>

29. BasicAuth with Transport Level Security

30. Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service

31. Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.

32. Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS

33.

34.

35. Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service

36. Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers

37. Users OUT SIDE Our Domain Need ACCESS

38. Direct Authentication needs us to maintain user credentials internally

39. We don’t have the credential of external users

40. Direct Authentication doesn’t solve our problem

41. Can’t we delegate Authentication to the External Domain itself

42.

43.

44.

45.

46. WS-TRUST

47. Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate

48. Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party

49. Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth

50. How do we know the legitimacy of the third party Security Token Service ?

51.

52. Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.

53. Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature

54. Our services access downstream resources with the authenticated user’s credentials

55. This could bring security risks – and make down stream resources vulnerable to attacks

56. How about controlling user access to the down stream resources

57. Service acts as the client – with service’s credentials

58.

59. Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.

60. Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers

61. Patterns @ Work…

62.

63.

64. Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.

65. Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.

66. http://blog.facileLogin.com http://RampartFAQ.com prabath@apache.org prabath@wso2.com

67. Thank You…!!!

Identity patterns and anit-patterns in real world web services

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Identity patterns and anit-patterns in real world web services

Ähnlich wie Identity patterns and anit-patterns in real world web services (20)

Mehr von Prabath Siriwardena

Mehr von Prabath Siriwardena (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Identity patterns and anit-patterns in real world web services