1

Web Service Security Through A Guard

Roxanne YeeHome Institution: University of Hawaiʻi at Mānoa

Internship Site: Akimeka, LLCMentor: Marc LefebvreAdvisor: Todd Lawson

2

Presentation Overview

Project Hierarchy and Motivation Background and Terminology

Guard Web Service Security

My Specific Part Test Bench An Example Questions

3

Information Assurance (IA) Group

Cross Domain Solutions (CDS) Group

GWSG (Global Web Services Gateway) Project

Service Oriented Architecture (SOA) Test Lab

Customers National Security Agency (NSA)

Defense Information Systems Agency (DISA)

4

GWSG Project Motivation

Goal

To enhance the capabilities of a user on a classified network to gain immediate access to data available on an unclassified network

UnclassifiedDatabase

ClassifiedNetwork User

5

GWSG Project Motivation

One Method Currently Used To Access Data

UnclassifiedDatabase

ClassifiedDatabase

ClassifiedNetwork

User(Soldier)

Sneaker-net

6

GWSG Project Motivation

Disadvantages to Current Methods Redundancies of Data Time Costly

Replication Transportation

Need For Data Synchronization Frequent Updates

No Guarantee of Data Availability Extra Manpower by Man-In-The-Loop

7

GWSG Project Motivation

New Cross Domain Solution (CDS) Web Services Technology

UnclassifiedDatabase

ClassifiedNetwork

User(Soldier)

Guard

8

SOA Test Lab Component

Goal

Evaluate Guards Specified by NSA and DISA

Compare capability and effectiveness to process

message formats used by web services today

Provide the best guard solution given a specific

situation in which the guard would be applied

9

My Part In The SOA Test Lab

Research and Document How To Implement

Web Service Security Controlled and Predictable Environment

Test Web Service

Findings To Be Used In SOA Test Lab Foundation

Template

10

WSS, SOAP, and HTTP

WSS or WS-Security (Web Service Security)

OASIS (Organization for the Advancement of Structured

Information Standards)

Applied to SOAP Messages

SOAP (Simple Object Access Protocol)

Message Format

HTTP (Hypertext Transfer Protocol)

Transport Protocol

11

The Project: Test Bench

Client and Server on same computer

Communicate through localhost interface

Client(soapUI)

Server(Axis2)

* SOAP Request and SOAP Response

12

The Project: Open-Source Software

Server Side

Tomcat 6.0.16

Axis2 1.4

Rampart 1.4

Client Side

soapUI 2.0.2

13

The Project: Test Bench

Client and Server on same computer

Communicate through localhost interface

Client(soapUI)

Server(Axis2)

* SOAP Request with WSS

14

soapUI Outgoing Configuration

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Interface Used to Apply WSS to Request To Server

15

A SOAP Message Request w/o WSS

<soap: Envelope xmlns:soap=“http//sample01.policy.samples.rampart.apache.org” xmlns:sam=“http://www.w3.org/2003/05/soap-envelope”>

<soap:Header/>

<soap:Body>

<sam:echo>

<!--Optional:-->

<sam:param0>Hello?</sam:param0>

</sam:echo>

</soap:Body>

</soap:Envelope>

Usu

al R

equ

est

so

apU

I S

end

s w

/o W

SS

16

A SOAP Message Request Header with WSS

<soap:Header> <wsse:Security soap:mustUnderstand=“true”

xmlns:wsse=“http://…secext-1.0.xsd”> <wsse:UsernameToken wsu:Id=“UsernameToken-

22786527” xmlns:wsu:=“http://…utility-1.0.xsd”>

<wsse:Username>alice</wsse:Username> <wsse:PasswordType=“http://... wss-username-

token- profile-1.0#PasswordText”>bobPW</wsse:Password>

</wsse:UsernameToken> </wsse:Security></soap:Header>

Ad

ditio

nal

WS

S In

form

atio

na

l A

ppl

ied

To

Usu

al R

equ

est

so

apU

I

17

The Project: Test Bench

Client and Server on same computer

Communicate through localhost interface

Client(soapUI)

Server(Axis2)

* SOAP Response with WSS

18

services.xml Without Rampart

<?xml version="1.0" encoding="UTF-8"?>

<service>

<operation name="echo">

<messageReceiver class=

"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>

<parameter name="ServiceClass" locked="false">

org.apache.rampart.samples.policy.sample01.SimpleService

</parameter>

<module ref="addressing" />

<!-- RAMPART CONFIGURATION MAY OCCUR HERE -->

</service>

Usu

al C

onf

igu

ratio

n S

che

me

Fo

r A

Se

rvic

e o

n T

he

Se

rve

r

19

services.xml with Rampart

<module ref="rampart" /><wsp:Policy wsu:Id="UT" xmlns:wsu="http://…”

xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All> <sp:SupportingTokens xmlns:sp="http://…/securitypolicy"> <wsp:Policy><sp:UsernameToken sp:IncludeToken=

"http://…/IncludeToken/AlwaysToRecipient"/></wsp:Policy>

</sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://…>

<ramp:user>username</ramp:user><ramp:passwordCallbackClass>

org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass>

</ramp:RampartConfig></wsp:All></wsp:ExactlyOne></wsp:Policy>

Ad

ditio

nal

Co

de T

o T

ell

Ra

mp

art

Wh

at T

ype

of W

SS

To

Exp

ect

20

The Project: Test Bench

Client and Server on same computer

Communicate through localhost interface

Client(soapUI)

Server(Axis2)

* SOAP Messages with WSS

21

The Project: Ultimate Purpose

Client(soapUI)

Server(Axis2)

* SOAP over HTTP with WSS

* Proprietary Format over Proprietary Protocol

localhost

Classified Unclassified

GuardXML

FirewallXML

Firewall

22

WSS Mechanisms Attempted

User Name Token Username and Password

Timestamp Time to Live

Encryption Confidentiality

Signature Integrity and Authentication

23

An Example: Test Web Service

Client Server

“Hi!”

“Hi!”

24

An Example: Valid User Name Token

Client Server

Echo

CorrectUsername

AndPassword

25

An Example: Invalid User Name Token

Client Server

IncorrectUsername

And/OrPassword

Error

26

An Example: Test Results

Username Password ResultCorrect Correct Echo

Incorrect Incorrect Error

Blank Blank Error

Correct Incorrect Error

Correct Blank Error

Incorrect Correct Error

Incorrect Blank Error

Blank Correct Error

Blank Incorrect Error

27

Actual SOA Test Lab Setup

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

28

Acknowledgements

VP OperationsMatt Granger

Program ManagerTodd Lawson

MentorMarc Lefebvre

GWSGBryan BerkowitzCasey McGinty

Scott OshitaChristopher ParisDerek Terawaki

Helpful CoworkersConrado CortezDeanna Garcia

Mark Mizubayashi

Former CubiclematesEllen FederoffKelly Ledford

And Everyone Else Who Made Me Feel Welcome!

29

AcknowledgementsMaui Akamai Internship Program

Funding

Center for Adaptive Optics (CfAO)National Science Foundation

and Technology Center Grant (#AST-987683)

Akamai Workforce InitiativeNational Science Foundation

Grant and Air Force Office of Scientific Research Grant (#AST-0710699)

University of Hawaiʻi Grant

Program StaffLisa HunterLani LeBron

Scott SeagrovesLynne Raschke

Short Course InstructorsDave Harrington

Ryan MontgomeryIsar Mostafanezhad

Mark PittsSarah Sonnet

And Everyone Else Who Contributed To This Valuable Experience!

30

Thank you!

Any Questions?