Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
P
AppSe
c
Copyright © 2006 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
Europ License.
e The OWASP
May 2006 http://www.owasp.org/
Foundation
Topics of the Presentation
• Limitations:
Not granular enough se
it.
Inflexible about routing. Security
Context
Security
Context
WS-Security along with some other standards like WS-Policy address these issues.
<SignatureValue>"8/ohMBZ5JwzYyu+POU/v879R01s="
<KeyInfo>
<SecurityTokenReference>
<Reference URI=#1
ValueType=UsernameToken> hmacsha1(key, SignedInfo)
<Body Id=2> where
<StockQuoteRequest> key≈ psha1(p+nonce+created
<symbols> )
<Symbol>“SAP"
<Symbol>"ORACLE"
N.B All the SOAP messages here eliding some headers, all namespaces, and
abbreviating long strings for brevity.
OWASP AppSec Europe 2006 8
Message flow using WS*Standards
1. Request for tokens
Security Token
2. Get tokens to add to SOAP messages service
Checking SOAP
according to WS-
Policy
6. Validate
tokens
Web Service
Requester 3.Sending to 5.Enforcing
Policy Module WS-Policy
N.B All the SOAP messages here eliding some headers, all namespaces, and
abbreviating long strings for brevity.
signing element.
Predecessor, successor, and Sibling Elements
Checking
SOAP
according to
WS-Policy
Web Service
Requester 8. Validate
tokens
4. Sending SOAP Validating SOAP 7.Enforcing
Account Info
message to WS-Policy
3.Sending to SOAPAccount module
Policy Module
5. Sending 6. Received
signed message
SOAP
Incorpor-ating Adding SOAP with SOAP
message
WS-Policy in Account Info Account
Information
SOAP
Web Service
Provider
9. Receive response from Web Service
Timing Diagram
Average Service Time(ms)
70
60
50
40 PolicyDriven XWS-Security
30 SoapAccount
20
10
0
ns
ti o
10
20
30
40
1
ra
Ite
of
o
Number Of Iterations
Conclusion