Home arrow Security arrow Page 9 - Trust, Access Control, and Rights for Web Services Part 1

WS-* Security Specifications for Integration - Security

Several other important standards are derived from and are complementary to WS-Security; they relate to such fundamental security topics as trust, access control, and rights. In this chapter, we review the family of WS-Security–related technologies. This is part 1 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, Sams, 2004).

TABLE OF CONTENTS:
  1. Trust, Access Control, and Rights for Web Services Part 1
  2. Building Blocks
  3. WS-* Security Specifications for Trust Relationships
  4. Prior to Having Secure Communications...
  5. RequestSecurityToken
  6. RequestSecurity TokenResponse
  7. WS-* Security Specifications for Interoperability
  8. SecurityContextToken
  9. WS-* Security Specifications for Integration
By: Rosenberg, Remy
Rating: starstarstarstarstar / 8
July 26, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Integration, in the context of Web Services Security, is the federation of identities and uniform authorization policies. Federation is the integration of trust domains across organizational boundaries and is addressed by WS-Federation. Authorization is the unification of access control policies across organizational boundaries and is addressed by WS-Authorization.

WS-Federation

WS-Federation enables the establishment of federated trust using WS-Security, WS-Policy, WS-Trust, and WS-SecureConversation as composable building blocks. Federation in this context means that a group of organizations that will have communicating Web services agrees on a uniform set of standards and policies about identification and authentication of entities for the purpose of translating one entity's security tokens into another type of security token. For example, WS-Federation solves the problem of one organization using Kerberos and the other with which it wants to communicate using X.509. WS-Policy and WS-Trust are used to determine which tokens are consumed and how to apply for tokens from an external service.

Figure 9.4 illustrates one way the WS-Trust model may be applied to simple federation scenarios. Here, security tokens (1) from the requestor's trust realm are used to acquire security tokens from the resource's trust realm (2) to access the resource/service (3). That is, a token from one Security Token Service (STS) is exchanged for another at a second STS (or possibly stamped or cross-certified by a second STS).

Next, Figure 9.5 shows the detailed sequence of steps used to exchange security tokens between a requestor Web service and the Web service provider resource.

Trust, Access Control, and Rights for Web Services

Figure 9.4  Simple federation scenario allowing requestor in one trust domain to interact with a resource in a different trust domain using different security models.

Trust, Access Control, and Rights for Web Services

Figure 9.5  Eight-step process used in WS-Federation to cross different trust domains with a security token.

This process is as follows:

  1. Acquire policy.

    If the requestor doesn't already have the policy for the service, it can obtain the policy using the mechanisms defined in WS-MetadataExchange. WS-MetadataExchange allows a service to directly obtain information using WSDL, or it may choose to use a UDDI service that aggregates this information for multiple target services.

  2. Return policy.

    The requested policy is returned using the mechanisms defined in WS-MetadataExchange.

  3. Request security token.

    The requestor requests a security token from its IP/STS (assuming short-lived security tokens) using the mechanisms defined in WS-Trust: <RequestSecurityToken>.

  4. Issue security token.

    The IP/STS returns a security token (and optional proof-of-possession information) using the mechanisms defined in WS-Trust: <RequestSecurityTokenResponse> and <RequestedProofToken>.

  5. Request security token.

    The requestor requests a security token from the Web services IP/STS for the target Web service using the mechanisms defined in WS-Trust: <RequestSecurityToken>. Note that this is determined via policy or some out-of-band mechanism.

  6. Return security token.

    The Web service's IP/STS returns a token (and optionally proof-of-possession information) using the mechanisms defined in WS-Trust: <RequestSecurityTokenResponse>.

  7. Send secured request.

    The requestor sends the request to the service attaching and securing the message using the issued tokens as described in WS-Security.

  8. Return result.

    The service issues a secured reply using its security token.


WS-Federation, SAML, Liberty, and Passport - WS-Federation deals with identity in a federated Web services context. As of this writing, no specification has been published for WS-Federation, and it is not without controversy due to the Microsoft name on the specification and the questions around the Sun-sponsored Liberty Alliance project and the Microsoft-owned Passport technology.

WS-Federation is working toward compatibility with SAML as SAML tokens become one of the types of federated tokens accepted, along with X.509, Kerberos, and XrML.

That being said, it seems valuable to have a standard approach for federated trust scenarios specific to Web services that is independent of the Liberty Alliance and Passport and generalized enough to fit into both models of identity federation.

At the very least, WS-Federation addresses a really difficult unsolved problem: how to get a Web service based in a domain using Kerberos to work effectively in a trusted fashion with a Web service based in an X.509 domain.


WS-Authorization

WS-Authorization deals with authorization decisions in the context of Web services. It describes how access policies for a Web service will be specified and managed. As of this writing, no specification has been published for WS-Authorization. Its objectives are similar to the eXtensible Access Control Markup Language (XACML) and will undoubtedly be heavily influenced by it.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Rosenberg, Remy
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: