You are previewing Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0.
O'Reilly logo
Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Book Description

The WEB SERVICE SECURITY guide provides guidance for applying security to Web services by using WSE 3.0 and Microsoft® .NET Framework 2.0.

Table of Contents

  1. Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0: Patterns & Practices
  2. Forewords
    1. Foreword by Alex Stamos and Scott Stender
    2. Foreword by Rudolph Araujo
  3. Preface
    1. Intended Audience
    2. How This Guide Is Organized
    3. Community
    4. Feedback and Support
    5. The Team Who Brought You This Guide
  4. 1. Introduction
    1. Overview
      1. Navigating the Web Service Security Guide
      2. Important Concepts
    2. Common Scenarios
      1. Public Web Service Scenario
        1. Distributor Web Service Profile
        2. Solution Approach
        3. Candidate Solution
      2. Intranet Web Service Scenario
        1. Banking Application Profile
        2. Solution Approach
        3. Candidate Solution
      3. Internet Business-to-Business Scenario
        1. Supply Chain Management Application Profile
        2. Solution Approach
        3. Candidate Solution
      4. Multiple Internet Web Services Scenario
        1. Travel Booking Application Profile
        2. Solution Approach
        3. Solutions Description
  5. I. Core Web Service Security Patterns
    1. 2. Authentication Patterns
      1. Introduction
        1. Important Concepts
        2. Direct Authentication vs. Brokered Authentication
          1. Brokered Authentication Options
        3. Authorization Methods
          1. Role-Based Authorization
            1. Declarative
            2. Imperative
          2. Resource-based Authorization
            1. Access Control List (ACL)
            2. URL Authorization
        4. Policy
      2. Direct Authentication
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      3. Brokered Authentication
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      4. Brokered Authentication: Kerberos
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
            1. Client Authenticates with Broker (KDC)
            2. Client Authenticates with Service
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      5. Brokered Authentication: X.509 PKI
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
        6. Security Considerations
        7. Related Patterns
      6. Brokered Authentication: Security Token Service (STS)
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Extensions
          1. Extension 1 — Establishing a Secure Conversation
            1. Process
          2. Extension 2 — Web Service Federation
        7. Related Patterns
      7. More Information
    2. 3. Message Protection Patterns
      1. Introduction
        1. Data Integrity, Data Origin Authentication, and Data Confidentiality
      2. Data Confidentiality
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
            1. Symmetric Cryptography
            2. Asymmetric Cryptography
          3. Example
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      3. Data Origin Authentication
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
            1. Symmetric Signatures
          3. Asymmetric Signatures
          4. Example
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      4. More Information
    3. 4. Implementing Transport and Message Layer Security
      1. Introduction
        1. Important Concepts
        2. Transport Layer vs. Message Layer Security
      2. Implementing Direct Authentication with UsernameToken in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Identity Store Options
            1. Active Directory
            2. Database
            3. Directory Service
          2. Providing Secure Communication
          3. Participants
          4. Process
            1. The Client Generates a Web Service Request
              1. Step One: Initialize the UsernameToken
              2. Step Two: Establish Message Integrity
              3. Step Three: Encrypt Sensitive Data in the Message
            2. The Service Authenticates the Client and Returns a Response
              1. Step One: Decrypt the Request Message
              2. Step Two: Verify Message Integrity
              3. Step Three: Validate the Password
              4. Step Four: Establish the Response Integrity
              5. Step Five: Encrypt the Response
        5. Implementation Approach
          1. General Setup
            1. To enable a Visual Studio 2005 project to support WSE 3.0
          2. Configure the Client
            1. To add policy support to a WSE 3.0-enabled Visual Studio 2005 project
          3. Configure the Service
            1. To enable a Visual Studio 2005 project to support WSE 3.0 SOAP extensions
            2. To add policy support to a WSE 3.0-enabled Visual Studio 2005 project
            3. To enable anonymous access on a virtual directory in IIS 6.0
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        7. Variants
          1. Variant 1 — Using a Database as the Identity Store
          2. Variant 2 — Using an LDAP Directory Service as the Identity Store
          3. Create a Custom UsernameTokenManager
      3. Implementing Message Layer Security with Kerberos in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
            1. Client: Initialize the Security Token and Send the Message
              1. Step One: Request a Service Ticket
              2. Step Two: Retrieve the Service Ticket
              3. Step Three: Sign the Message
              4. Step Four: Encrypt the Message
              5. Step Five: Send the Message to the Service
            2. Service: Authenticate the Client
              1. Step One: Validate the Token
              2. Step Two: Decrypt the Message
              3. Step Three: Verify the XML Signature
              4. Step Four: Authorize and/or Impersonate the Client (Optional)
              5. Step Five: Initialize and Send a Response to the Client Computer (Optional)
        5. Implementation Approach
          1. General Setup
            1. To enable a Visual Studio 2005 project to support WSE 3.0
          2. Client Setup
            1. Configure the Policy
              1. To add policy support to a WSE 3.0 enabled Visual Studio 2005 project
            2. Add the Client Code
          3. Service Setup
          4. Enable SOAP Extensions
            1. To enable a Visual Studio 2005 project to support SOAP extensions
          5. Configure the Policy
            1. To add policy support to a WSE 3.0-enabled Visual Studio 2005 project
          6. Use the Service Code
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
      4. Implementing Message Layer Security with X.509 Certificates in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
            1. The Client Initializes and Sends a Message with X.509 Certificate Information
              1. Step One: The Client Retrieves the Service’s Certificate
              2. Step Two: The Client Retrieves Its own X.509 certificate and Private Key
              3. Step Three: The Client Attaches Its X.509 Certificate to a Message
              4. Step Four: The Client Signs the Message Using Its Private Key
              5. Step Five: The Client Encrypts the Message Using the Service’s Public Key
              6. Step Six: The Client Sends the Message to the Service
            2. The Service Authenticates a Client Using the X.509 Certificate and Signature
              1. Step One: The Service Validates the Client’s Certificate
              2. Step Two: The Service Verifies the Certificate Trust Chain
              3. Step Three: The Service Checks the Certificate Revocation Status
              4. Step Four: The Service Decrypts the Message
              5. Step Five: The Service Verifies the Signature
              6. Step Six: The Service Initializes and Sends a Response to the Client (Optional)
        5. Implementation Approach
          1. General Setup
            1. To enable a Visual Studio 2005 project to support WSE 3.0
            2. To configure WSE 3.0 X.509 security settings
          2. Configure the Client
            1. To add policy support to a WSE 3.0-enabled Visual Studio 2005 project
          3. Configure the Service
            1. To enable a Visual Studio 2005 project to support SOAP extensions
            2. To add policy support to a WSE 3.0-enabled Visual Studio 2005 project
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        7. Extensions
          1. Role-based Authorization
      5. Implementing Message Layer Security with a Security Token Service (STS) in WSE 3.0
        1. Context
        2. Implementation Strategy
      6. References for Transport Layer Security
        1. Implementing Brokered Authentication Using Windows Integrated Security on IIS
        2. Implementing Transport Layer Data Confidentiality Using HTTPS
        3. Implementing Transport Layer Security Using HTTP Basic over HTTPS
        4. Implementing Transport Layer Security Using X.509 Certificates and HTTPS
        5. Implementing Transport Layer Security with Kerberos and IPSec on Windows Server 2003
      7. More Information
  6. II. Additional Web Service Security Patterns and Guidance
    1. 5. Resource Access Patterns
      1. Introduction
        1. Important Concepts
        2. Resource Access Methods
      2. Trusted Subsystem
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
          3. Enforcing the Trust Relationship
            1. Kerberos Protocol Service Accounts
            2. Local Accounts
            3. X.509 PKI
            4. IPSec
          4. Example
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Extensions
          1. Extension 1 — Flowing the Identity of the Client
            1. Approach 1 — The Trusted Subsystem Provides a Self-Signed Token
            2. Approach 2 — The Trusted Subsystem Forwards a Signed Token That Is Provided by a Trusted Third Party
      3. Protocol Transition with Constrained Delegation Technical Supplement
        1. New Kerberos Extensions
          1. Protocol Transition
          2. Constrained Delegation
          3. Scenarios
        2. Implementation
          1. Use Protocol Transition to Initialize a WindowsIdentity Object for Authorization Checks
          2. Use Protocol Transition to Initialize a WindowsIdentity Object for Impersonation
            1. Step One: Create a Domain Account
            2. To create a domain user account
            3. Step Two: Configure the Domain Account on the Web Server
            4. Assign TCB privileges
            5. Add account to IIS_WPG
            6. Give IIS_WPG special folder permissions
            7. Step Three: Create a New Application Pool
            8. To add a new application pool
            9. Step Four: Configure the Web Application to Use the New Application Pool
            10. To configure the Web application to use the new application pool
          3. Use Constrained Delegation to Access Remote Resources
            1. Step One: Create SPN for Domain Account
            2. Step Two: Configure Delegation
          4. Sample Code
        3. Implementation Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
      4. More Information
    2. 6. Service Boundary Protection Patterns
      1. Introduction
      2. Message Replay Detection
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Variants
        7. Related Patterns
      3. Implementing Message Replay Detection in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
        5. Implementation Approach
          1. General Setup
            1. To enable a Visual Studio project to support WSE 3.0
          2. Configure the Client
          3. Configure the Service
            1. To add a policy cache file to the service project in Visual Studio
          4. Service Policy
          5. Replay Detection Custom Policy Assertion Code
          6. Replay Cache
            1. Cache Cleanup
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
      4. Message Validator
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      5. Implementing Message Validation in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
        5. Implementation Approach
          1. Configure the Client
          2. Configure the Service
            1. To enable the service project to support WSE 3.0
            2. To add a policy cache file to the service project in Visual Studio
          3. Configure Maximum Request Length
          4. Required Message Part/Schema Validation
          5. Custom Policy Assertion — Message Body Validation
          6. Use Regular Expressions to Parse Input
          7. Parameterize SQL Queries
        6. Resulting Context
          1. Benefits
          2. Liabilities
        7. Security Considerations
      6. Exception Shielding
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
          3. Example
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Extensions
          1. Extension 1 — Logging Exceptions
        7. Related Patterns
      7. Implementing Exception Shielding
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
        5. Implementation Approach
          1. Create a Custom Exception Class
          2. Enclose Code in Try/Catch Blocks
          3. Create a Method that Sanitizes Exceptions
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
      8. More Information
    3. 7. Service Deployment Patterns
      1. Introduction
      2. Perimeter Service Router
        1. Context
        2. Problem
        3. Forces
        4. Solution
          1. Participants
          2. Process
          3. Example
        5. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        6. Related Patterns
      3. Implementing Perimeter Service Router in WSE 3.0
        1. Context
        2. Objectives
        3. Content
        4. Implementation Strategy
          1. Participants
          2. Process
        5. Implementation Approach
          1. General Setup
            1. To enable a Visual Studio 2005 project to support WSE 3.0
          2. Configure the External Application
          3. Configure the Perimeter Service Router
            1. To configure the perimeter service router
          4. Configure the Service
        6. Resulting Context
          1. Benefits
          2. Liabilities
          3. Security Considerations
        7. Extensions
          1. Extension 1 — Using the Perimeter Service Router as a Policy Enforcer
      4. More Information
    4. 8. Technical Supplements
      1. Introduction
      2. Kerberos Technical Supplement for Windows
        1. Local Security Authority (LSA)
          1. Accessing the LSA
          2. Security Support Provider Interface (SSPI)
        2. Important Concepts
          1. Shared Secrets
          2. Long Term Keys
          3. Session Keys
          4. Service Account
            1. Windows Integrated Security with IIS
          5. Message Layer Security with IIS
          6. Service Principal Names
            1. SPN Types
            2. Service Classes
            3. Defining an SPN
              1. To create a new SPN
          7. Kerberos Tickets
          8. Ticket Lifetimes
          9. Authenticator and Message Replay Detection
          10. Delegation Configuration
          11. Implementing Kerberos with SSPI
          12. Signing and Encryption
        3. Kerberos Protocol Operations for Web Services
          1. Using a Domain Account with IIS 5.x (Windows 2000 and Windows XP)
            1. To configure a domain account for the Kerberos protocol on a computer running IIS 5.x:
          2. Web Farm Deployment with WSE 3.0
        4. Troubleshooting
          1. Duplicate SPNs
            1. To perform a query with Ldifde.exe
            2. To list SPNs associated with an account
          2. Cached Tickets
            1. KerbTray and KList
          3. IIS Caching and Delegation
      3. X.509 Technical Supplement
        1. Public Key Encryption and Digital Signatures
        2. X.509 Certificates
        3. Implementations of X.509
          1. Secure Sockets Layer (SSL)
          2. WS-Security X.509 Binary Security Token
          3. IPSec
        4. Certificate Authorities
          1. Obtaining an X.509 Certificate
          2. Certificate Revocation
          3. Certificate Storage and Access
          4. Certificate Management
        5. Using X.509 Certificates in Patterns
      4. More Information
  7. A. Appendix
    1. Introduction
    2. Problem/Solution Index
      1. General
      2. Authentication and Authorization
      3. Kerberos Protocol and Windows Server 2003
      4. X.509 Certificates
      5. Message Protection: Data Confidentiality, Integrity and Data Origin Authentication
      6. Resource Access
      7. Windows Server 2003 Protocol Transition and Constrained Delegation
      8. Exception Shielding
      9. Message Validation
      10. Message Replay Detection
      11. Secure Conversation
      12. Service Router
      13. More Information
    3. WSE 3.0 Security: Interoperability Considerations
      1. Interoperability Between WSE 2.0, WSE 3.0, and WCF
        1. WSE 3.0 and the Windows Communication Foundation (WCF)
          1. WSE 3.0 and WSE 2.0
      2. Web Services Security Interoperability with Other Platforms
        1. Support for Advanced Web Services Specifications
        2. Support for New Versions of Web Services Specifications
        3. Varying Support for Extensibility Options Within the Specifications
          1. Example
      3. More Information
    4. Policy Advisor for WSE 3.0
      1. PolicyAdvisor.xml
      2. Input Format
      3. Output Format
      4. Using Policy Advisor with Visual Studio 2005
        1. To use Policy Advisor in Visual Studio 2005
    5. Patterns: A Common Vocabulary for Information Technology Professionals
      1. Overview
      2. The Challenge
      3. The Solution
        1. A Standard Notation for Designs—Design Patterns
        2. A Standard Vocabulary—Pattern Languages
        3. A Standard Repository—PatternShare
        4. A Layered Model—The Pattern Frame
        5. IDE Integration—Guidance Automation Toolkit (GAT)
      4. Conclusion and Recommendation
      5. More Information
        1. Bibliography
    6. Glossary
      1. authentication
      2. authorization
      3. brokered authentication
      4. claim
      5. client
      6. confidentiality
      7. credentials
      8. data confidentiality
      9. data integrity
      10. data origin authentication
      11. data encryption
      12. delegation
      13. digital signature
      14. direct authentication
      15. identification
      16. impersonation
      17. impersonation/delegation model
      18. message layer security
      19. mutual authentication
      20. proof-of-possession
      21. protection scope
      22. protocol transition
      23. public-private key encryption
      24. security context
      25. security context token (SCT)
      26. security token
      27. security token service (STS)
      28. service account
      29. signed security token
      30. service
      31. transport layer security
      32. trust
      33. trusted subsystem
    7. References
  8. B. Bibliography
    1. General Information
      1. Security Background
        1. Bibliography
      2. Pattern Resources
        1. Bibliography
    2. Chapter 1, "Authentication Patterns"
      1. Bibliography
    3. Chapter 2, "Message Protection Patterns"
      1. Bibliography
    4. Chapter 3, "Implementing Transport and Message Layer Security"
    5. Chapter 4, "Resource Access Patterns"
      1. Bibliography
    6. Chapter 5, "Service Boundary Protection Patterns"
      1. Bibliography
    7. Chapter 6, "Service Deployment Patterns"
      1. Bibliography
    8. Chapter 7, "Technical Supplements"
    9. Appendix
    10. Community Workspace and Wiki
  9. C. Patterns & Pratices
  10. Index
  11. About the Author
  12. Copyright