Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | cassandra-webster |
View: | 216 times |
Download: | 0 times |
Florida Atlantic UniversityDepartment of Computer and Electrical Engineering
&Computer Science ( CEECS )
Secure Systems Research Group
Fall 2009
“A Pattern for the WS-Policy Standard”
Ola Ajaj
1
• Web Services Standards can be :•Lengthy documents. •Too many details. •Difficult for vendors to develop products.•Difficult for users to decide what product to use.
• Also, several organizations that have different goals have developed standards that may overlap and even conflict to each other.
• We develop patterns for these standards to have a better understanding.
Introduction
WS-FederationWS- SecureConversation
WS-Authorization
WS-Policy WS-Trust WS-Privacy
XKMS
XMLEncryption
XMLDigitalSignature
SOAP Foundation
WS-SecuritySAML XACML SPML
Security Standards
3
XML Encryption
Symmetric Encryption
Asymmetric Encryption
XACMLXML
Signature
Digital SignatureWith Hashing
WS-Security
WS-Policy
WS-FederationWS-Trust
WS-Secure Conversation
4
5
Ajiad is a travel agency that has expands its office services to cover the online trade customers. Ajiad offered many of its everyday operations to a web services-based system, some of which have a certain level of privacy and security for the customers who have been granted privileges.
Ajiad now declared new rules for defining the way its web services should accessed by means of policies in terms of who, when and in what they can be used.
Introduction
WS-Policy Why?
To integrate software systems with web services.
What? Provides a flexible and extensible grammar for expressing the
capabilities, requirements, and general characteristics of Web Service entities
How? Defines a model to express these properties as policies
Without this standard, developers need docs.
6
CreatePurchaseOrderRequest
CreatePurchaseOrderResponse
ProviderConsumer
WSDl
CreatePurchaseOrderSOAP/HTTP
PublishServiceFindService
PublishServiceMetadataFindServiceResponse
FindServiceRequest
WS-Policy ModelWS-Policy Model
7
TerminologyTerminology
Policy: a collection of policy alternatives.
Policy alternative a collection of policy assertions.
Policy Assertion: represents a requirement, a constraint, a capability of the behavior of a web service.
** An assertion is a declaration of certain facts, such as “Jad was granted update privileges to database X at time Y”. ** A behavior for example could be guarantee of message delivery.
Policy Expression: set of one or more policy assertions that combined to do some wrok.
8
<wsp:Policy> <wsp:ExactlyOne> <wsp:All> <Assertion> ... </Assertion> ... <Assertion> ... </Assertion> </wsp:All> ... <wsp:All> <Assertion> ... </Assertion> ... <Assertion> ... </Assertion> </wsp:All> </wsp:ExactlyOne></wsp:Policy>
Policy Normal Form
Policy ExpressionCollection of alternatives(„pick one“)
Policy AlternativeCollection of assertions(„do all“)
Policy AssertionDomain-specific behavior
WS-Policy ModelWS-Policy Model
9
TerminologyTerminology Policy Attachment:
the mechanism for associating policy expressions with one or more subjects.
10
A Pattern for WS-PolicyA Pattern for WS-Policy• Intent
Without a clear definition of how to use web services, they could be chaotic.
Policy Framework defines a base set of constructs that checks the requests made by requestors in order to verify that they are fulfilling their assertions and convey their conditions before interacting with the web service.
11
Example
While transforming to its new system, some of Ajiad’s Travel Agency customers have been accessing web services they are not allowed to do.
The reason for that was having outdated and unreliable services (due to a decreased number of customers or violating security rules) and losing money (due to accessing services that in some point requires fees and subscription).
12
Context
Distributed applications need to communicate in a collaborative way to perform some work in a web-service environment. For this, they use the internet (unreliable and insecure environment)which is explored to the attackers.
13
Problem
Without applying relevant policies for protection, web services have no means to assure reliability and security in their integration.
14
Forces• The possible solution is constrained by the following forces:
– Confidentiality and Information Disclosure Malicious consumers may try to read and modify sensitive information. We need to define appropriate policies to protect the information.
– Tampering Malicious users try to tamper or replace policy assertions.
– Reception and Repudiation The provider may perform a malicious activity that is not expected by the requestor.
15
- Regression A policy may offer several alternatives that vary from weak to strong requirements. An adversary may interfere and discard this policy and insert a weaker policy previously issued by the same provider.
- Denial of Service Malicious providers may provide a policy expression with a large number of alternatives, a large number of assertions in alternatives, deeply nested policy expressions or chains of Policy Reference elements (e.g. Internet addresses) that expand exponentially.
Forces
16
Solution
– Each policy is defined in terms of nested constructs that conveys the restrictions the policy implies. When the policy is attached to a web service, clients looking to transact with that web service are forced to follow its assertions (e.g. signing, encryption, timestamp, and username) of the type specified in the policy.
– Web services are protected against unauthorized access by having policies that provide conditions in order to use them. Requesters willing to use web service are required to follow its policy first.
17
+addAlternative()+deleteAlternative()+updateAlternative()+assignReference()
-name-ID-reference
Policy
+addAssertion()+deleteAssertion()+updateAssertion()
PolicyAlternative
+addAsertion()+deletAssertion()+updateAssertion()
-attributes-children
PolicyAssertion
Requirement
+attachPolicy()
PolicyAttachment
-attributesPolicyScope
-attibutesPolicySubject
Entity
-child-element
PolicyAssertionParameter
-nameSpace-localName
PolicyAssertionType
-reference-digest
PolicyExpression
Form
CompactFormNormalFormassociateWith
1
0..*
1
0..*
1
0..*
1
0..*
1
0..*
1*
1
0..*
A PolicyOperator could be used to groupAssertions into Alternatives
attach
expressedAs
1
*
10..*
1
*
0..*
0..*
contains
{PolicyExpression should not reference itself directly or indirectly}
convey
18
DynamicsWe describe the dynamic aspects of the WS-Policy using sequence diagrams for the use cases “create a policy” and “request a service”.
– Create a new policy:• Summary: A provider will create a new policy for a web
service.• Actors: policy provider.• Precondition: The provider has already created a web
service.
19
Create a new policy
:Provider
:Policy
<<createPolicy>>
addAlternative
addAssertion
addRequirementpolicyCreated
:WebService
embedPolicy
policyEmbeddedaddPolicy
20
Create a new policy
– Description:• The policy provider will create the policy by specifying and adding its required
alternatives, assertions and requirements. The provider creates as many assertions as necessary to meet the conditions for his/her Web Service.
• All the alternatives, assertions and requirements are added to the web service.• The provider embeds the policy to the web service.• The Web Service adds the policy to its structure.
– Postcondition: The provider has attached the policy to its designated web service.
21
Request a service
• Note: this use case Need to be revised
• Request a service:
– Summary: A requester will use a published policy-embedded web service.
– Actors: policy Provider, policy Requestor and Broker.– Precondition: The provider had already created a web
service with a policy that controls its services.
22
:Provider
:WebService
<<createWebService>>
addPolicy
:Broker
embedPolicy
webServiceCreated
policyEmbedded
publishWebService
addWebServicewebServicePublished
:Requester
webServiceDiscover
webServiceResult
webServiceRequest
webServiceResponce
Request a service
23
– Description:» The policy Provider will publish its web service to Broker.» The Broker will add the web service to its registry or repository.» The Requestor contacts the Broker to find the suitable web service and
the Broker will replay with results to choose from.» The Requester will send a UseServiceRequest to the Provider who in
turns replayed with a UseServiceResponce.
– Postcondition: The Requestor now is using the Web Service in terms of satisfying its policy conditions.
Request a service
24
Implementation– In order to assure effective implementation, we need to take in
consideration the following:
• A policy may or may not reference another policy (ies) depending on the level of authentication that is required.
• A policy alternative may contain multiple assertions of the same type. Policy assertions within a policy alternative are not ordered. However, providers can write assertions that control the order in which behaviors are applied.
25
• Policy Assertions are the main blocks of the policy that specify a particular behavior. Translating these assertions will qualify the behavior indicated by. For example, sp:AsymmetricBinding assertion is identified to support a specific reliable messaging mechanism, while sp:SignedParts assertion is used to indicate message-level security and sp:EncryptedParts assertion is used to indicate the parts of a message that require confidentiality.
• A policy expression conveys policy in an interoperable form, either in a normal form (which is the most straightforward XML representation of the policy data model) or in an equivalent compact form (that is used to compactly express a policy with more description about definitions and outlines).
• A policy Expression should not reference it self directly or indirectly to avoid the forces mentioned under Problem section above.
26
Implementation
Example Resolved
– Ajiad’s new web-based system now has more control over its services by applying prerequisite conditions and security constrains through policies. So, in order to use any service, all customers are required to compel with its policy conditions and agree with its terms before using that web service.
– Ajiad’s strategy of giving customers relevant privileges (compatible with their memberships) are still valid, but this time with enhanced categories that prioritize their services and protect business credentials.
27
Consequences – (+) Policy providers can use mechanisms from other web services specifications such as
WS-Security [ibm09b], XML Digital Signature [w3c08] and WS-Metadata Exchange [w3c09] and that’s by securing access to the policy, requiring authentication for sensitive information and omitting sensitive information from the policy.
– (+) Requestors should discard a policy unless it is signed by the provider and presented with sufficient credentials.
– Policy providers can avoid older or weaker policy alternatives.
– (+) Requestors can discard policy alternatives which include assertions whose behavior cannot be verified by examining the wire message from the provider to requestor.
– (+) Policy should use a modal margin with defaults on number of policy alternatives, number of assertions in an alternative, depth of nested policy expressions.
– (-) WS-Policy is an immature specification which is still changing.
28
Related Patterns
• A pattern language for security models. [Fer01]
• Rule Object 2001: A Pattern Language for Adaptive and Scalable Business Rule Construction. [Ars01]
• Patterns for the eXtensible Access Control Markup Language. [Del05]
• Patterns for Access Control in Distributed Systems. [Del07]
29