The WS Secure Conversation specification describes a mechanism letting
multiple parties establish a context (using the WS Trust Request Security
Token standard) and secure subsequent SOAP exchanges. Each WS Secure
Conversation session has an associated shared secret. Instead of using this
shared secret directly to sign and encrypt the conversation's messages,
symmetric keys are derived from the secret itself. Deriving new keys for each
message and different keys for signature and encryption limits the amount of
data that an attacker can analyze in attempting to compromise the context.
Derived Key Tokens are tokens in a SOAP Security Header that refer to the
derived keys. Using the context's shared secret and hints provided by the
Derived Key Token element, the message's recipient derives the key used by
the requestor either to verify a signature or decrypt parts of t... (more)
As the enterprise is increasingly taking notice of WOA (Web Oriented
Architecture) these days, the need for security guidelines and standards for
RESTful Web services is becoming more pressing. Sure, RESTful Web services
are meant to borrow existing security mechanisms from the web and HTTP Basic
over SSL, when done right, is a great way to accomplish shared-secret based
authentication. Yet, for better or for worse, it is common to find REST API
providers defining their own authentication mechanisms.
Take for example the Amazon S3 REST API’s custom HTTP authentication
scheme. Us... (more)
SOA & WOA Magazine on Ulitzer
Existing brokered authentication standards such as SAML Web Browser SSO or
OpenID accommodate RESTful web services for browser driven use cases.
However, what about RESTful service composition patterns where identities
need to be propagated across nested service invocations, or any RESTful Web
service client that is not browser based for that matter? How should brokered
authentication for such RESTful service calls be handled?
An interesting example of a RESTful Security Token Service (STS) was
described in March 2009 by Pablo Cibraro (aka ‘cibrax’).... (more)
The adoption of cloud by organizations looking for more efficient ways to
deploy their own IT assets or as a means to offset the burden of data
management drives the need for identity federation in the enterprise.
Compounding this is the mobile effect from which there is no turning back.
Data must be available any time, from anywhere and the identities accessing
it must be asserted on mobile devices, in cloud zones, always under the
stewardship of the enterprise.
APIs serve federation by enabling lightweight delegated authentication
schemes based on OAuth handshakes using the sa... (more)
In the article "The importance of threat protection for restful web
services", I presented a number of content-based threats for XML. When
protecting an endpoint from XML based attacks, not only are payloads scanned
for code injections, malicious entity declarations and parser attacks, XML
documents are actually validated against strict schemas that clearly describe
expected document structures. Enforcing this type of compliance at the edge,
in a SOA gateway for example, minimizes the risk of attacks of the Web
service endpoint. Structure definition languages such as XML Schema ... (more)