Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Francois Lascelles

Imagine a fresh business relationship between ACME Corporation and Partner. As a result of this relationship, ACME wants to grant Partner limited access to one of its core internal applications. They do this, naturally, by exposing a Web service. Why Identity Federation? Boris (an employee at Partner) sends a SOAP request to the ACME Web service along with some password or proof-of-possession type credentials. Because Boris's identity is managed outside of ACME, those credentials cannot be authenticated using ACME's authentication infrastructure. To circumvent this issue, one could imagine a setup where the ACME Web service authenticates Boris's credentials by connecting to Partner's authentication services. Another alternative might involve some sort of directory replication. These strategies were attempted in the '90s when distributed LDAP references appeared in t... (more)

Standardize HMAC, OAuth RESTful Authentication Schemes

As the enterprise is increasingly taking notice of WOA (Web Oriented Architecture) these days, the need for security guidelines and standards for RESTful Web services is becoming more pressing. Sure, RESTful Web services are meant to borrow existing security mechanisms from the web and HTTP Basic over SSL, when done right, is a great way to accomplish shared-secret based authentication. Yet, for better or for worse, it is common to find REST API providers defining their own authentication mechanisms. Take for example the Amazon S3 REST API’s custom HTTP authentication scheme. Us... (more)

The Importance of Threat Protection for RESTful Web Services

SOA Best Practices Digest Although certain RESTful web services are of a ‘public’ nature and do not have specific security requirements such as authentication and authorization, any service that has an entry point from an untrusted network is subject to attack and proper threat protection measures are always an essential consideration. RESTful web services are closely aligned to the web itself and as such inherit all traditional threats from the web. Although network level threats are well understood and addressed by traditional firewall infrastructure, RESTful web services typ... (more)


SOA & WOA Magazine on Ulitzer Existing brokered authentication standards such as SAML Web Browser SSO or OpenID accommodate RESTful web services for browser driven use cases. However, what about RESTful service composition patterns where identities need to be propagated across nested service invocations, or any RESTful Web service client that is not browser based for that matter? How should brokered authentication for such RESTful service calls be handled? An interesting example of a RESTful Security Token Service (STS) was described in March 2009 by Pablo Cibraro (aka ‘cibrax’).... (more)

WS Security Performance

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the con... (more)