WAS 70 Reality of SOA Security

IBM Software Group

®

The Reality of Implementing SSO on an SOA Bus.

Martin Lansche, Consulting I/T [email protected] Software Services for WebSpherehttp://www.ibm.com/WebSphere/developer/services

last update: May 23, 2011

IBM Software Group | WebSphere software

2

WebSphere Security Presentation Series

This presentation is part of the WebSphere Security Presentation Series led by Keys Botzum with help from so many others

Available internally at http://pokgsa.ibm.com/~keys/documents/securitySeries

Related presentationsWe assume you’ve seen or are familiar with

• Core Concepts• WAS Security Introduction

You may be interested in• Advanced Authentication• SSO Conceptual Overview• Version 6.1 and 7 Security: Infrastructure Hardening• Securing Web Services Using WS-Security Policy Sets• Using WS-Security SAML with WebSphere Application Server and

DataPower


3

Change is the Only Constant

This presentation reflectsMy current opinions regarding WAS securityThe product itself continues to evolve (even in PTFs)

Presentation is based on 7.0This will be revised as we learn moreYour thoughts and ideas are welcome

Disclaimer: Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.


4

Agenda

Setting the StageAuthentication Options through the BusSystem Identity to Provider

Transport Based

WS-Security BasedEnd-User Identity to Provider to WebSphere

Transport Based

WS-Security BasedEnd-User Identity to Provider to Non-WebSphere

WS-Security SAML ProfileFine Grain Authorization options on the Bus


5

Take home messages

The intent of this presentation is not to criticize ESBs.There are many good reasons to use an ESB, and to use an ESB as a form of security gateway.

We just want to raise some security issues that you should consider regarding your ESB implementation.

We frequently see that these issues are overlooked.

Common mistakes and how to avoid them.

“Security is hard. Think hard about it”tm.

SOA Security is harder.

(Transport-based solutions refer to SOAP/HTTP(S) transport, synchronous messaging.)


6

Using an ESB as your Security Gateway?

One of the reference architectures for SOA looks like this:

What are your security/requirements for your ESB?Are you just abstracting provider endpoints?

Or do you want to enforce access through your ESB?


7

What is wrong with this Gateway?


8

Sample SOA Message flow

1 – Authenticate and Authorize external requests2 – Invoke business process3-20 – Orchestration calls

Other services in WPSWMB servicesMainframe services

Process ServerOrchestration

MainframeServices

Security Service (AuthZ)

Application DataPower XI50Gateway

DataPower XI50ESB

WebSphereMessage

Broker

1

1

2

2

3 - 20

3 - 20 3 - 20

3 - 20Fi

rew

all

Fire

wal

l

Other Company Systems

Company Desktops

OutsourcedProvider Desktops


9

Services can be called from anywhere

What stops any process on any IP connecting system from calling the Orchestration services?

WMB services?

Mainframe services?

In a poorly implemented solution, once through Gateway, any service can be called

“We trust every application on every system in our enterprise.”

Yet hosted by 3rd party• They implicitly trust every application on 10,000s of 3rd party systems

“We assume that all requests flow through DataPower ESB.”This is “security by wishful thinking”TM


10

Internal “Chained” Services

Assume that Provider requires credentialsIn other words, “Able to connect” is not an option.

Consider an internal “chained” service that directly sends credentials to providerJ2EE - Local EJB method

DataPower - any service on the device are callable by any thread on the device (via 127.0.0.1) – this is a common pattern on DataPower

If chained service does not do AAA, then any “local service” can invoke the provider through the chained service.

In DataPower - all services on any domain• Essentially the entire device is your application

In J2EE - all applications in the same JVM as local EJB.

The secure approach is that chained services require AAACalling service must then present credentials.


11

Agenda


Transport Based


Transport Based




12

Fundamental ESB Security

ESB must authenticate and authorize all requests from Clients (Consumers)

Provider authorization options1. Accept any request that can reach provider.

2. Based on request coming from ESB.

3. Based on end-user identity (supports ESB bypass)

4. Request came from ESB AND end-user identity.

How?How to propagate end-user identity?How to do it quickly?


13

Scenarios 1 & 2

Fire

wal

l

Fire

wal

l


14

Scenario #3 Flowing End User Identity – Bypass of ESB possible

BackendSystems

Application ESB

3

3

Other Company Systems

alice

Bypass ESBESB-ID

alice

alice

alice3

LDAP

alicealice alice

alice

DataPowerGateway


15

Flowing End user identity – only through ESB

Fire

wal

l

Fire

wal

l


16

Identity Propagation – in the abstract


17

Questions r.e. System Identity vs. End-User Identity

System Identity vs. End-User Identity What is required by the business?

• Only proof request went through ESB?• Or original end-user identity?• Or both?

Does the identity need to exist in Provider registry? Real vs. ephemeral userid.

Is end-user identity enough?Do we need to assert group membership? (e.g. for ephemeral userids)

Do we need to assert business data?

Depending on the token type used, or the ESB product, some of these variants may or may not be possible… To be explained….


18

Ephemeral Userids / a.k.a. Transient Userids

Assert ephemeral “Carol” as a member of Temp-Contractors-Tier1RealmUniqueSecurityName = forest.ibm.net:389/CN=Carol,CN=Temp-Users,dc=ibm,dc=net

Groups found: Group ID: group:forest.ibm.net:389/CN=Temp-Contractors-Tier1,CN=groups,DC=ibm,DC=net

Notes Carol does not exist as user in LDAPGroup “Temp-Contractors-Tier1” exists but with no members

WAS V7.0.0.x Potential Alternative – “All Authenticated In Trusted Realm” – More later…


19

SOA Authorization Considerations (at Provider)

Transport AuthenticationAll endpoints under same URI share common JEE security constraint

If finer-grain authorization needed• Provider URI bound to AllAuthenticatedUsers

− Programmatic or EJB Session Authz.

Message AuthenticationWS-Sec does not address Authorization!!!

• Programmatic or EJB Session Authz.


20

Agenda


Transport Based


Transport Based




21

Use Cases – System Identity to ProviderHTTP Transport

BasicAuth Authorization header (configuration)SSL Client Auth (configuration, must manage client certificates)System-specific Cookie

• LtpaToken2 Cookie (small amount of application code, ESB must share Ltpa key and realm) – See Programming Hints and Tips.

SPNEGO Authorization header (complex set-up, non-trivial application code, client must contact KDC for every request, restrictions) – see SPNEGO presentation.

Message (WAS configuration – Policy Set – JAX/WS | DataPower Configuration)UNT with passwordX509 BST (must manage client certificates)LtpaToken BST (ESB must share Ltpa key and realm) Kerberos BST (complex set-up client must contact KDC for every request)SAML BST (complex set-up, may contact STS on every call) – overkill for system account

Prefer black options.LTPA is IBM only. SAML & Kerberos raise interop issues.


22

System Identity – Speed Comparisons

Note: Not based on empirical testing!!!

HTTP Transport - Called before dispatching to WS runtime.(1) LtpaToken2 Cookie

(2) BasicAuth HTTP Transport – WAS Security runtime can cache password checks

(3) SSL Mutual auth

(8) SPNEGO HTTP Transport – client must contact KDC on every request.

Message level(4) UNT

(5) LTPA BST

(6) X509 BST

(7) Self-Issued SAML BST

(9) Kerberos BST

(10) STS-Issued SAML BST


23

Web Services Performance with SecurityMany forms of security are available for protecting web services messages

Transport level security (HTTPS) can be used for protecting messages in high volume production environments for integrity (signing) and confidentiality (encrypting)

HTTP authentication mechanisms have less overhead than WS-Security authentication tokens

Overhead of authentication mechanisms is reduced as the message sizes get larger

The overhead of security in these charts is a worse case since the SUT is running at 100% CPU utilization and the service implementation does not contain any business logic. This will exaggerate the cost of security.

Note: HTTPS Security does not include authentication

23

Client SUTSUT(AppServer)

This does not include th

e high cost of W

S-Security M

essage

Protection


24

LTPA Cookie Generation

For WAS, see Programming Hints and Tips

DataPower Config – AAA Post ProcessingGenerate an LTPA Token

Select correct LTPA Token Version

Expiry/Key File

Wrap Token in a WS-Security Security Header = off

Unlike other AAA options, • Only one WS-Sec or Cookie can be generated in one AAA action.• No DP API for generation via XSL.


25

HTTP Transport example – BasicPOST /cpid-authenticate HTTP/1.1Authorization: Basic YWxpY2U6cGFzc3dvcmQ=User-Agent: curl/7.15.0 (i586-pc-mingw32msvc) libcurl/7.15.0 OpenSSL/0.9.7e zlib/1.2.2Host: wasserver.ibm.netAccept: */*Content-Length: 357Content-Type: application/x-www-form-urlencoded<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:aut="http://tempconverter.ca/schema/authenticate"> <soapenv:Header/> <soapenv:Body>

… removed</soapenv:Body>

</soapenv:Envelope>

Overhead < 50 bytes.Any Base64 Decoder (Google it!!) can decode that string

Therefore must encrypt to ensure confidentiality – one-way (Server) SSL


26

WebSphere Configuration for BasicAuth Over HTTPS

Copy WSHTTPS default – as BasicAuth-over-HTTPSRemove WS-Addressing policy

Copy Client Sample Binding as BasicAuth-Over-HTTPS-ClientRemove JMS Transport, WS-* policies

In HTTP Transport binding - set User name and Password

In SSL Transport binding - choose SSL Configuration that contains Signer certificate of SSL Server peer.

Ignore Props fileCustom Property com.ibm.websphere.transport.ssl.loadFromPolicyBinding = true may be needed on copied bindings.


27

DataPower Config for HTTP Header

ServiceXML Manager

• User Agent− Basic-Auth Policy

XSLT:<xsl:variable name=“userAndPass" select=“concat($user, ‘:’, $pass)”/><xsl:variable name=“base64UP” select=“dp:encode($userAndPass,'base-64')”/><dp:set-http-request-header name=“Authorization” value=“concat(‘Basic ‘, $base64UP)”/>

No native AAA Post-Processing support


28

HTTP SSL Client AuthenticationAfter decryption, as above, without Authorization Header

Q: Where does identity come from? A: The Client certificate used in the SSL Handshake.

SSL Server must require Client certificate.

SSL Client must present certificateSSL Client must renew certificates before they expireCan be a management problem.

See Hardening presentation r.e. Mutual SSL vulnerability when using SSL terminating proxies.

See Core Security presentation r.e. “too-many-trusted-issuer” problem.

SSL Server must extract identity from presented certificateRemember: end-user credentials can not be propagated downstream of SSL Server – server does not have access to end-user private key!


29

Configuration

WebSphere SSL ClientSSL Config

• KeyStore− Personal Certificate (marked as

client default certificate)− Self signed, Cell Root CA

signed, or CA Signed• TrustStore

− Signer of SSL Server cert

DataPower SSL Configuration


30

WS-Security Message Examples - 1

UNT without message encryption/signing – i.e. use one-way SSL< 800 bytes

<soapenv:Header><s:Security xmlns:s="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">

<u:Timestamp><u:Created>2011-01-12T16:31:27.312Z</u:Created>

</u:Timestamp><s:UsernameToken u:Id="unt_20">

<s:Username>alice</s:Username><s:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-

1.0#PasswordText">password</s:Password><u:Created>2011-01-12T16:31:27.421Z</u:Created>

<s:Nonce>AYiP7s702hbKYh76kGKqLfWrTcwx7w9m+pJKdy0BPepmerh+MW4SJGfOzImR3A5MkUm43Ck6b+yl1Uw6P4D9BmNrcg8Y7LbyEJVHlV9+S+B8+ua757MDTGSVTb86GIi0uDAxFQMyZGsD3nvxuPi1bhuZgqh6HqEvAyO1skxH5fc=</s:Nonce>

</s:UsernameToken></s:Security>

</soapenv:Header>

UNT with message encryption/signing> 8000 bytes – see next 3 charts


31

UNT – with message level encryption – 1 of 3<soapenv:Header>

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_21">

<wsu:Created>2011-01-12T16:19:02.265Z</wsu:Created></wsu:Timestamp><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIICnzCCAgigAwIBAgIHANeg5OSnqzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEdMBsGA1UECxMUbGFuc2NoZUNlbGxNYW5hZ2VyMDExFjAUBgNVBAsTDWxhbnNjaGVDZWxsMDExGTAXBgNVBAsTEFJvb3QgQ2VydGlmaWNhdGUxIDAeBgNVBAMTF2xhbnNjaGUudG9yb2xhYi5pYm0uY29tMB4XDTEwMTAwNjE5MDk1MVoXDTExMTAwNjE5MDk1MVowJzEMMAoGA1UEChMDTk1MMRcwFQYDVQQDEw5pbnRyYTItc2FtbC1pZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PN4frm1SU/kkOVtrZDbP9x/IS9AhA/lESvPIUkYMkMNTGjhJxZ8HhMaPxjV1OWbkSIproW1iozGn2ffqmkAN0UhDjK6aBN911vzBJn9fJ8LxWqpLL/BJZiMbK2FWWjqSGMugAeUOUjiDkPFzFxjndzQrmMkhwwNtaLKJogGpTcCAwEAAaNsMGowVQYDVR0RBE4wTIFKUHJvZmlsZVVVSUQ6RG1ncjAxLURFUExPWU1FTlRfTUFOQUdFUi1kNGQ5YTRlMi1jM2VlLTQ4N2ItYWZjNS04NGJiMTg2ZDJiZjkwEQYDVR0OBAoECE2JKTyrS3ESMA0GCSqGSIb3DQEBBQUAA4GBABO+S0uqcHFFQTARWINqNrJ9RC7L1F+xSaeJ611OMJGzHT+5FiH1nQX05xp56qXxi+wEI3u8lfboWgosiJmvOudbjRTzZbcSnlNouHK/HmChpOIjir3INJFUXIWt970yiavaMoGn/G2sjgKKHWGdirn7a/ZW8ryGuFPhRd1Np5LO</wsse:BinarySecurityToken>

<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></enc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-

1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">QdZLf+KjrUg=</wsse:KeyIdentifier>

</wsse:SecurityTokenReference></ds:KeyInfo><enc:CipherData>


32

UNT – with message level encryption – 2 of 3<enc:CipherValue>t/T6cO2BSljYKj7NMmgqSCRPi0AAnFQRSXcGjbryKmS7OThBT/eRMmNPLp5dfVPR5F1R1e0Bxk4dVWGdWX/9fu

yLNniAyaTK6ALSRNKnRIQW3ckcrYu6mGF1QHHDDMWIpTjJnCDqyy9AJA7AZzPmXlSXsm3Mw5QCMw+lw+GOul0=</enc:CipherValue>

</enc:CipherData><enc:ReferenceList>

<enc:DataReference URI="#wssecurity_encryption_id_23"></enc:DataReference><enc:DataReference URI="#wssecurity_encryption_id_24"></enc:DataReference>

</enc:ReferenceList></enc:EncryptedKey><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="wssecurity_encryption_id_23"

Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod><enc:CipherData>

<enc:CipherValue>oL4h98Zww/ur3pn5ucWCN0EDuoswYlP8gZXzZ5E4f9U5jzvr32u0uwVPCmvniB3WaBRYhuAPkjU7mLTohVzsYSHLE3zJ7L2kHykaNfpGkYvrDnx1HUe1fEEASlT1kTf9VRuXf1ETtV+OeqjHxtPr5/Bez9lEQNkkyN6WC4FWAhxqx2E8xHdg/wpDW8VOunF8rcd5iVLCa26Suk1zxc1/okAQCGNmz7xWqB3mT/jCr9fo1q9Nim4EIRAZfQKGM/93qnXXtFH7YnpWtPXbOw5mAbVSvE3Vb8ZP5vmQVvYoSkCNlwq/imInY+BMzQSODrJTQcaMDuOdReKdLPNWDm82sNS/HUGFTyfysxji9nEcuZ+coHbGlmZjnEwRpwpMzPIddjaP8J9aDma5KDSejDIlle4gk159xrKRomjumxxavw5N+wAj7s83C7eaJetL9D8uDLFcM7l35ypwVCEznPeAwlRIkM3g8sIYYgkWWWqqN0y7CjitOT6C0tNcGiqtaDGr+hQJPpUZcZt3isYP9OhiK/Z2+DdhFieOWacAtIlPFUdhv38TPXv6Gjg4e6NKfG+lKSe2Ta4jkXTzQjFayEtVPUVZCjDxEMXfso4tjKrCWGYHA5i3Y5XnWoh00aM3GVbpl/Q1UVLJZ1gvR16/E9yKhMdEaax/HYQCxB7SaG2fa2l0O8fl86t4DCC6zjs4Q+mwCUFpfE3dbICkHHHOiXIg6UQorr0e1vTKsywKjtfY/i4yw9DDvRJ7TY9umLTsCi4WZlW4t0RFRRXbifN9jr758aX6ITAUzn+IVZYBIYyxJyxXc4sRFcGWmiofeTxZ1jwq4g5olTEobPEMs8T9Jems2KEAFAmSkBQ64t5GD30+x8zdGQl+f94AE7Wv5wfGuZXtXio+U3zhDmnA+pKpJiD47uoM2l13zBkanvWKzFs9IlCmnRVxPoOSin0VtjuCYvd0NSErLr6IRq14AeNIudM43QUXXZEWtPKXSi0y52No4UuaGfPr+HXR0D2UK/Af1w8H8Wp88zFwifNqbH+nmlT53rx9wi86lG6qoFTS9ND8JB0Mm0283IcWOEmt9y9LC4wF+Xw9HwF2UOMjBLshGQYdLGICPA+4B2QhE/v10QRSaS1QXmij8HifVOVBMdwUigTcOGOohx4EGgk/Kbqg5dLq4JwhDgGJfeHT0qHsMvbv0D7VlIEGzd0FZ56R3Qd7jkTBo4kgZmZqG++HOC/s+HMdo+ASZ5gF23wofqrxGjWIY0W4hD/n6IXrgWiDizaTAjm2eLqYUknueRaIPfZZcXMNojKboAiM5MquKoKi/S8UoxV+d9WKJz54jUW/HNB2OLQiYL38sz1BEx7kaHFNaLn4uc3J7lcGUQ2BtB4ptnDm5U+QV5m5GypgjBD8gg+uprvp+bsRFWapFGG5x3Kp3g1fcQ==</enc:CipherValue>

</enc:CipherData></enc:EncryptedData><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="wssecurity_encryption_id_24"

Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod><enc:CipherData>


33

UNT – with message level encryption – 3 of 3<enc:CipherValue>wX0Nyew8PoFluxhA97u9WEDtgsBz1OELT/uYC+k0NsWLIWhuHfTKqhp6KipHuJSyM/X0mReC4n2FtDvwHtHVC0hHseornRH9l+

tWn50A4zzLEV0F/r1kNV/zmd7DioIB+DMocbcz02Gd3tTotOFRK5l81GUTWzpWA7OHNKtvlV5CgkFygENZ7rhKfg4MJYvK0kaTBwSMfcxG29pFzP67R7/6Y7/kieUltohDgVeK+p9MIVR3DmSNjN0iQiOjJw2aAm+PaVu95yagCvA488VEWg6qo3SmFiRtLStVlHRH6mIwvu5NMvf/Wy5VuD8XQlArDcJWLO7/QMGl13dd2kDTXEYo9ht923yifzUdYMIQbmdDQBZRFR6rodgEnHv5Yg8D7Y67m/UMnxzo3/3Ixm9NVjxNb2y8X0mK39ILGg/R50f2ysOsjjPQZP+svzQflGPlp5aSZDWVOwMsQ3PEUHiBlxDZnLs+06RMzrs55UsE9FlFwso4R7HVjNrk+Pkj4Oq+mv1lstCv1vbSdHoPvvm7rA+V+t+ahRSX7P8EBJdiKz+U636E7XFWS+IAwqTfCzOyDuFt6kSGwVzcIrVDlA80XEnpLtxr3bCgFCEzOQ1Puaq67d4eBF1iLomZmDQdDae4YfcMGM3upvdsTCTiOb/q7y/61Zs7owYZodOEAEH8rjiOiqCuc/g2LbpMWrWGdphtAK78iYbi342tj9lBw2c0opld7+ZyVoahf70fxIvgsDzm4+iGqCj0RXjdXTEUME6+gK7QXeIyNKFEyraa1DXtntwqgN+dVw6Xi7qC+KquZoXbVS2OXIE/ofpCO82Ka/FIbu+uw4A8i+7XuPY5TPn2JHBUpW58E4NYJlG42U5q7AWAtj1ejkTVIHMR/yz5OLgLj237fn7VhvvMQa0V81eUaNfipthPGbsm8dMy0fAlUQ71rhLt6cAh56CPZ2CHrAkUnmB2Fo0fNBXHRi4Wg59T9UMKUJrRVuSZvD914GxEnkmdID1exb5LsmoYtKlgLBKzf1wpmMwX1+wSyiIleEUwBqcvbV7zkPww7as1s0un97ppO5dmhVhMeO8W6D8rq2RoBKgIszKqnhKIYott2IipsLKQSh6vKQQ34HBhQDm/LI3e65cKelBfibbfqcRBFeOTgN+YLiaBgSWNH7ZsxBWzjfO+8XcZWrBiFJ+OL4UlXHim4Lo4cUzXUH+zR8LIToqEm5zdMj0N9Oqog20qEDw9xkWgDaIsTaBYXt45ymoAOvgTfM0uEdGAFqNep8ekn35m36ZFQZp3lw6FFcTqsyeG7swCkfE/CsHLNhJiWSA+W5IU3+XBnQE74wEFqdtvlJesa6Cxe79aUHdUdm8/Hcqu5yHuSDT7H6iVNYnnDX0K1lF6hixmbYbvJm5qGtmKaqAVFevy+CFyPVbs4t54amphXCAyeCz3nW78AxxZMUu1xJQMHb7tekOawC9sBdRnneGRFzLmUhtsnURIUqGkcw1rvnpEnxhwPvtzbjHG8W+HrAMHgruJej4Ejs9SGwwkYdSEj+k9GXNicwsQY2e2NYXhalMecobqCFFN2viXBbi3+Oe7hRRpAMd3l4fy2guUDNTvAZYj63mHbiYCrHCtq7N6VtIk6AqApgUmM3s7Zg0f1WsykYfwZXjzHHEgA192+obDvUzMU948KSP1OCqEqrsg+lGB3KhDBBuQ5SYg1UuFlo22g/Q2w/3Y5zeUgbQS/Lqbz4StLMUjiR3UgF9jbOMQ9WrlH97h/rUxjJLlwLzddh9VAppuVnpNsqyhJqcdJAiuLKiVRdQ28CX/fUb4W7jfeife5XLh2hLZtlH9a35itxJj5S03xcLgiSZC2oVdvhhdHSIkpEdKsEiprNviOuTCW6W6cwMaAibpMCkN7ShYet5ia9dItXM2/7sGLtt49lMhxkTs62dkeiGWMSSuBkpo9sAV/2CqXuv3eEU2GHKHjpjL6qrYbU6RCiqzXYQlWAydma9C3T6lkySjrOWhQsxJy5xL1i8R2Cm9VFxntmpRwejbKlGRZweCGHq3gSq6s/bQ+J20gXpi7PyaRutto9RnsrCeYKpkRFXDV5iRGSB3H5YVv5Iav5SGdyeF5l2LtLUduO+RbnWCqBdvQoOSQbYuN4xdwQd9z3BxOo5a22fiFsyG17eYXO/kz1Cmz9DnDLdGldWF3LMcDLfCe4fvkfZpY6Pv4Ed+Kx3ajrfWrCqpZuOO0LV4/fpB9phFLflcnhk72sWQ+LyhLnmyOJ2LMy7TU3bYyC+GfIvbgrkY+zuPjIQsYlPYye/8GEGvN+BNIPiU9UWP5quLK5xrS2hbHwcjEEBjiLyPAgAAJht2otdbbc8jYvK5kNGQ+UkFuPnxTrQeXa9YY4A1Gis2zePyUnubEvuxst4cHr/FRyzpSsi3kHGNGiwiXA+mMWFAptk0Wdxl6ikQCn1T6Hg+krXakarc3zsAKFpxPSqgJJH8byODEKnn4EmblafLhOQEZon/783FcjjvTFBxqbjAYavuByztfwY1L75ZoLysARVtoL8NMIVo1j7+ONqVistcwlE0N5I2BBNJxstJUUo+SwskFQTGkMdPzqxmCJskZTSb8YvnSQwpxMZLGDYrfqQkq5SjzwMbTR+HhVmZZ51nIucE23uRT8O1s0kA7Mn81lCF+Wg4mOCDfohRkhsGtN1mj2ElpW9jBUPnnf2hzwc/Xtww//qKqAmOVL/4cMwvrxbfnA5+P3TnPFKLnLMxFgnihC3szN8L8CteCQYmWWc3PhJk6fdt1rOm3ZGo5mfrW/JOgoQCvYmhGMRWLyKoSbtxWWgtkhruiUkQkO9IhAVT63PqGO+dRPksUkDhioxljkkg6sFVyDUL+BZ0RH/shQyfBrpudczIfuWxHkLHYguCR/YjwGDt11JTlzM8H6Rh7UCHZVYFECwkEbWlbS2X8M8z3jfnym6w9Mht25D1b5j4QrCtCE3VIV7EhbDWeX4SQVXX0FwFUQQM22eu04ws9JSB7cpdi+pHLg2rqdSAsDM8eshOZ5dbZv4pLYlr5V6HZALF5L7DrWYfns2GFo/TQYUzR9L+cTe/4DHhVcY3/vbk4ac+KZjFTxOsYgbGZxh400NHu6WMGgG/bHf8Qb3PtVvktdjQHLRuCTzglqTNB3e+b/UKDjKeEpDJesWzEil6OfIFDLRzbvfrHhb8FlVvQSGSajNtFUVzlh1VNEI4bH6fdZyzjHKe9Uv4s4OwicO9eowXuAkujyZU/cBo4sQXAeHsXj3bWA9vtX+2wMX6kukE/4veAXeIjnNrqkXmdp2vQWT5+jLNY7DoGSogvPXhWMEr18N4ugBmXb91/+yQvtdwXy9l/ZctVak6Pc3GmH7hbG083Anr4djxbRa3bKFvCyj65/6iORibdLvnfIPYyM8l3yRyZzoxLZ4GRpyXTlXWZ2mEMWcD7pFFnc4GUNT+jDSzajsFY5GYITF5LiqiIOA1oXJKgomHmPqyyjimRvKykHlV5/HxKCw9dD+IObCDURSoHEgAoGKdV1N1GpmYIhPnqs9JYxvvE7rwsJFbE/gDckFP0fge3fs=</enc:CipherValue>

</enc:CipherData></enc:EncryptedData>

</wsse:Security></soapenv:Header>


34

WS-Sec UNT Policy Set and Client Binding

Policy set

Client Binding (without Signing/Encryption!!)General client policy set bindings > UNT-xxx-Client > WS-Security > Authentication and protection > gen_signunametoken > Callback handler

• Add User Name/Password− Can not use RunAs identity – since client does not know RunAs

password!• Optional

− com.ibm.wsspi.wssecurity.token.username.addNonce− com.ibm.wsspi.wssecurity.token.username.addTimestamp− com.ibm.wsspi.wssecurity.consumer.timestampRequired=false

when provider expects timestamp, but client does not.• SSL Transport Binding – see earlier chart


35

WS-Sec UNT Provider Binding

Providing BindingGeneral provider policy set bindings > UNT-Provider > WS-Security > Authentication and protection > con_unametoken > Callback handler

• Optional – Verify Nonce/Timestamp settings

SSL Transport Binding – see earlier chart

RunAs identity is not set by default!General provider policy set bindings > UNT-Provider > WS-Security > Callers

• New Caller• Caller identity local part

− http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken


36

WS-Security Message Examples – X509 BST

X509 without message encryption/signing –i.e. use one-way SSL > 1800 characters

Useful when “passwords are not secure enough”.

Policy SetDisable Message Level Protection

Add Protection Token


37

X509 BST Client BindingClient

ProviderRemember the Caller

Keys and Certificates• Delete Certificate Store• Add a Trust Anchor – Point to Centrally Managed keystore

Authentication and Protection• Add X509 Token Consumer

− Point to Trusted Anchor Store in callback handler


38

LTPA Binary Security Token

(WAS) Policy creation similar to Username Token Start with LTPA WSSecurity Policy Set and Client/Provider bindingsOptionally remove message protection (Signing & Encryption)

LTPA Token TypeLTPA Token

•Namespace: http://www.ibm.com/websphere/appserver/tokentype/5.0.2•Local part/ValueType = LTPA•Maps to DataPower’s AAA PP option of “WebSphere LTPA V2”

LTPA Propagation Token•Namespace: http://www.ibm.com/websphere/appserver/tokentype•Local part = /LTPA_PROPAGATION•No corresponding DataPower AAA PP option

LTPA Token v2.0 •Namespace: http://www.ibm.com/websphere/appserver/tokentype•Local Part/ValueType = LTPAv2•Maps to DataPower AAA PP option of “WebSphere 7.0 Version 2”


39

LTPA BST created by DataPower

AAA Post Processing – Similar to LTPA CookieGenerate an LTPA TokenSelect correct LTPA Token VersionExpiry/Key FileWrap Token in a WS-Security Security Header = onUnlike other AAA options,

• Only one WS-Sec or Cookie can be generated in one AAA action.• No DP API for generation via XSL.

LTPA Tokens should contain uniqueID, not userid.Certain AAA token transformations require custom user mapping.

• E.g. Kerberos/SPNEGO in, LTPA out.• Note: Any LDAP password authentication converts identity to

uniqueID.• See http://www-01.ibm.com/support/docview.wss?uid=swg21446677


40

LTPA BST created by DataPower - Timestamp

Prior to 7.0.0.13 (APAR PM16014) LTPA BST did not need Timestamp.DataPower does not add one by default.WAS 7.0.0.13 now enforces Timestamp for policies with these options.Providers will stop accepting tokens from DataPower.

See http://www-01.ibm.com/support/docview.wss?uid=swg21453755


41

Agenda


Transport Based


Transport Based




42

Use Cases – End-user Identity to IBM/WASHTTP Transport

SSL Client Auth of System connection (for trust) + HTTP UserHeader end-user identity (WAS 7.0.0.7 Provider)

• Client – small amount of application code.• Provider requires JEE Security constraint• Requires Custom code/TAI to securely implement

− ISSW has one. • (Can be used for REST applications)

Mixed Mode Identity Assertion – LtpaToken2 cookie (for trust) (speculation)UNT without passwordLtpaToken BST (ESB must share Ltpa key and realm)

Message Level Identity Assertion – Two tokens (some variants are speculation)System Token for trust

• UNT with Password, LTPA BST, X509 BST, Kerberos BST, SAML BSTEnd-user token

• UNT without Password, LTPA BSTMessage Level Identity Assertion – One token

Self-Issued SAML Assertion (BST) from ESB• X509 signature validates SAML assertion.

Prefer black options.LTPA is IBM only. SAML & Kerberos raise interop issues.


43

ISSW SecureIDPropagationTAI Example

DataPower<dp:set-http-request-header name=“ASSERT_USER” select=“’alice’”/>

WAS Config Requires JEE Security constraintClient SSL Authentication Required

Unless DirectSSL Certificate properties match expected values, TAI ignores asserted User header.

WAS 7Consumer

ASSERT_USER: alice

DataPower XI50CN=ESB-DataPower,OU=..SerialNum=776716551Issuer=CN=Corp-Intermed-CA

TAI Props:trustedDirectSubjectDN= CN=ESB-DataPower,...trustedDirectSerial=776716551trustedDirectIssuerDN=CN=Corp-Intermed-CA,...userHeader=ASSERT_USER


44

LTPA Cookie + LTPA BST

Two AAA actionsFirst sets LTPA BST containing end-user identity

Second sets LTPA Cookie with system identity

Original AAA action – includes Post-Process step to flow end-user identity

Timestamp.xsl – needed when previous step Post-Process generates LTPAToken

Binary WS-Security header.

Generate LtpaToken2 HTTP Cookie with DataPower system identity.


45

Two UNT example

Policy set Simple – Two UNTs

Example message<s:Security xmlns:s="http://... " xmlns:u="http://..." soapenv:mustUnderstand="1">

<s:UsernameToken u:Id="unt_21"> <!– Trust identity <s:Username>ClientCellServerIdentity</s:Username><s:Password Type="http://... 1.0#PasswordText">serverPass</s:Password>

</s:UsernameToken><s:UsernameToken u:Id="unt_20"> <!– End user identity – notes – (1) no password (2) Optional TrustedRealm – userid:realm:UniqueID<s:Username>defaultWIMFileBasedRealm/alice:realm:defaultWIMFileBasedRealm/uid=alice,o=defaultWIMFileBasedRealm</s:Username></s:UsernameToken>

</s:Security>


46

Two UNT Bindings - Client

Must use Application Specific Client bindingsNot reusable across applications

• Select things you want to configure.• Press Apply to get access to Callback configuration

Different binding info for each token – details in Callback handler for tokentrustedIdentity – a normal UNT with Basic Auth username and password

AssertedIdentity• Identify is as an assertion tokenIdentity to send

− Fixed identity value− Basic Auth username, but no password

− Or Current runAs identity


47

Two UNT Bindings Example - Client - 1

Application Specific Binding

WS-Security -> Authentication and Protection


48

Two UNT Bindings Example - Client - 2


49

Two UNT Bindings – Provider

Also needs Application Specific provider bindingConfigure Authentication and protection similar to Client

trustedIdentity• Nothing special needed.

AssertedIdentity

• Set com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed=true

Optional – trustedRealm – see later chart

Configure Caller PartSet both “Caller identity local part” and “Trusted identity local part”

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

Use identity Assertion

Callback Handler• com.ibm.ws.wssecurity.impl.auth.callback.TrustedIdentityCallbackHandler

trustedID_0 (etc) – list userids or DNs that are trusted.


50

Two UNT Bindings Example – Provider


51

TrustedRealm optionInterpret as “Realm Matters”Replaces confusing 6.1 “sendRealm” option – required custom Login Module to process token.Client binding - how token string is created.Provider binding – how Subject is builtSee “WebSphere Application Server V7 Security : New Features” – Security Domains

r.e. “All Authenticated In Trusted Realm” special security binding.

Provider Binding trustedRealm

Subject built using useridand uniqueID in token. No lookup in registry – no group membership.

ExceptionmyRealm/alice:realm:myRealm/uid=alice,o=IBM

true

ExceptionSubject built based on provider Registry

alicefalse

truefalseToken Contents<s:Username>?</s:Username>

Client BindingtrustedRealm


52

Agenda


Transport Based


Transport Based




53

Use Cases – End-user Identity to non-IBM/WAS

What can Provider support? What does provider require?

Examples (depends on provider environment):Possible Mixed Mode Identity Assertion – SPNEGO Authorization (for trust)

• UNT without password• X509 BST

Possible Message Level Identity Assertion – Two tokens• System Token for trust

− UNT with Password, X509 BST, Kerberos BST, SAML BST• End-user token

− UNT without PasswordMessage Level Identity Assertion – One token

• Self-Issued SAML Assertion (BST) from ESB• STS-Issued SAML Assertion (BST)


54

What else does SAML enable?

In addition to Interop with external providers.Ephemeral userids.

Fine-grain authorization models.


55

SAML Use Cases – End-user Identity plus Group Membership

WAS 7.0.0.7 or later builds Subject from SAML attributesSAML does not specify standard attribute for group membershipYou can specify what attribute to use: “groupMName_<n>”

• Otherwise, WAS looks for "group", "groups", "memberof", “membership", "groupmembership", "members", "groupid", "role", or "roles".

Can allow assertion of ephemeral users. E.g WAS needs SecurityName, UniqueID, and Group info

How?STS could assert group info.WAS SAML Client application code.

Warning:Tight linkage of SAML token creation and Provider authorization Just because SAML asserts “role=foo” only meaningful if group “foo” exists!


56

Agenda


Transport Based


Transport Based




57

Sample SAML assertion of Groups + Business Data

Ephemeral user assertion of “alice”A member of “Temp-Contractors-Tier2” (exists in WAS registry)Also a member of “Non-WAS-Group” (a non-WAS-registry group)Business info about “alice”

PhoneStateTransfer-Authorization Limit

<saml2:Subject><saml2:NameID NameQualifier="forest.ibm.net:389">alice</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml2:SubjectConfirmation>

</saml2:Subject>…<saml2:AttributeStatement>

<saml2:Attribute Name=“Membership"><saml2:AttributeValue>CN=Temp-Contractors-Tier2, OU=Groups,dc=ibm,dc=net</saml2:AttributeValue><saml2:AttributeValue>Non-WAS-Group</saml2:AttributeValue>

</saml2:Attribute><saml2:Attribute Name="urn:test:Phone">

<saml2:AttributeValue>414-555-1212</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:test:State“>

<saml2:AttributeValue>NV</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:test:TA-Limit" NameFormat="http://www.w3.org/2001/XMLSchema#integer">

<saml2:AttributeValue>100000</saml2:AttributeValue></saml2:Attribute>

</saml2:AttributeStatement>


58

Use Cases – End-user Identity plus Business Info

SAML + XACML allows fine-grained Authorization

An XACMLPolicy Enforcement Point – invokes PDP, abides by decision

Policy Decision Point – Permit/Deny response

DataPower has on-box PDP (Option 1)

Tivoli Security Policy ManagerRuntime Security Server

DataPower and off-box TSPM RTSS (Option 2)

WebSphere and on-box TSPM authorization engine (Option 3)

WebSphere and off-box TSPM RTSS (Option 4)


59

Agenda - Recap


Transport Based


Transport Based




60

Futures

Nothing here is an IBM Commitment


61

References

TODO: Update with lots of other links.

Security material, including presentations, papers, and booksWhere

• IBM internal – http://pokgsa.ibm.com/~keys/• Public – http://www.keysbotzum.com


62Materials may not be reproduced in whole or in part without the prior written permission of IBM

Materials may not be reproduced in whole or in part without the prior written permission of IBM

© Copyright IBM Corporation 2004-2011. All rights reserved.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml


63

Additional Charts

Background material


64

Thoughts on WS-Security SAML

SAML 1.1 Bearer > 3700 bytesNote that SAML Bearer tokens are signed by WAS runtime

<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2011-01-12T21:32:34.656Z</wsu:Created>

</wsu:Timestamp><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1"

AssertionID="_575214B7132267E9451294867956850" Issuer="Intra2" IssueInstant="2011-01-12T21:32:34.718Z"><saml:Conditions NotBefore="2011-01-12T21:32:34.718Z" NotOnOrAfter="2011-01-12T22:32:34.718Z">

<saml:AudienceRestrictionCondition><saml:Audience>http://localhost:80/WSSampleSei/PingService</saml:Audience>

</saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement>

<saml:Subject><saml:NameIdentifier>alice</saml:NameIdentifier><saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>

</saml:Subject></saml:AttributeStatement>


65

SAML 1.1 Bearer Token – 2 of 2<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_575214B7132267E9451294867956850">

<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>

</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>0JESX/C/lgc84MLbm1eYNWCephU=</ds:DigestValue>

</ds:Reference></ds:SignedInfo>

<ds:SignatureValue>ZPE+NNlIXDPdPR8aDaIkje3hjOKraB20wLBSRKa7O+2cS+4B6wt3ZdnbKScJOzpdgzAXHr5k456s3YVYpB8LZm8f5YcR/vO58VqbcB8N8JqQoj8ORAITTzJL6MGHEJKf7AQXUE5q/g4MrDjgXqs8LAJkf5WnfJ4Xl++WqolZnOU=</ds:SignatureValue>

<ds:KeyInfo><ds:X509Data>

<ds:X509Certificate>MIICnzCCAgigAwIBAgIHANeg5OSnqzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEdMBsGA1UECxMUbGFuc2NoZUNlbGxNYW5hZ2VyMDExFjAUBgNVBAsTDWxhbnNjaGVDZWxsMDExGTAXBgNVBAsTEFJvb3QgQ2VydGlmaWNhdGUxIDAeBgNVBAMTF2xhbnNjaGUudG9yb2xhYi5pYm0uY29tMB4XDTEwMTAwNjE5MDk1MVoXDTExMTAwNjE5MDk1MVowJzEMMAoGA1UEChMDTk1MMRcwFQYDVQQDEw5pbnRyYTItc2FtbC1pZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PN4frm1SU/kkOVtrZDbP9x/IS9AhA/lESvPIUkYMkMNTGjhJxZ8HhMaPxjV1OWbkSIproW1iozGn2ffqmkAN0UhDjK6aBN911vzBJn9fJ8LxWqpLL/BJZiMbK2FWWjqSGMugAeUOUjiDkPFzFxjndzQrmMkhwwNtaLKJogGpTcCAwEAAaNsMGowVQYDVR0RBE4wTIFKUHJvZmlsZVVVSUQ6RG1ncjAxLURFUExPWU1FTlRfTUFOQUdFUi1kNGQ5YTRlMi1jM2VlLTQ4N2ItYWZjNS04NGJiMTg2ZDJiZjkwEQYDVR0OBAoECE2JKTyrS3ESMA0GCSqGSIb3DQEBBQUAA4GBABO+S0uqcHFFQTARWINqNrJ9RC7L1F+xSaeJ611OMJGzHT+5FiH1nQX05xp56qXxi+wEI3u8lfboWgosiJmvOudbjRTzZbcSnlNouHK/HmChpOIjir3INJFUXIWt970yiavaMoGn/G2sjgKKHWGdirn7a/ZW8ryGuFPhRd1Np5LO</ds:X509Certificate>

</ds:X509Data></ds:KeyInfo>

</ds:Signature></saml:Assertion>

</wsse:Security></soapenv:Header>


66

Simple PDP Example

SAML assertion contains following business data:<saml2:AttributeStatement>

<saml2:Attribute Name="urn:test:MaximumStringLength" NameFormat="http://www.w3.org/2001/XMLSchema#integer"><saml2:AttributeValue>6</saml2:AttributeValue> <!– This user can echo up to 6 characters

</saml2:Attribute></saml2:AttributeStatement>

XACML Policy contains (Permit if MaximumStringLength > echoLength):<Rule RuleId="urn:rule:EchoLength" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">

<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#integer"AttributeId="urn:test:MaximumStringLength"/>

</Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">

<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#integer"AttributeId="urn:test:EchoLength"/>

</Apply></Apply>

</Condition></Rule><Rule RuleId="urn:rule:EchoTooLong" Effect="Deny"/>


67

XACML Request message<?xml version="1.0" encoding="UTF-8"?><Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os

http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd"><Subject>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>alice</AttributeValue></Attribute><Attribute

AttributeId="urn:test:MaximumStringLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><AttributeValue>6</AttributeValue> <!– from the assertion

</Attribute><Attribute

AttributeId="urn:test:EchoLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><AttributeValue>2</AttributeValue> <!– calculated by Xform based on payload

</Attribute></Subject><Resource/><Action/><Environment/>

</Request>


68

createXACMLReq.xsl snippetsBased on store:///aaa-xacml-binding-sample.xslEmit EchoLength

<xsl:variable name="echoStringLength" select="string-length(/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='echoStringInput']/*[local-name()='echoInput'])"/>

<xacml-context:AttributeAttributeId="urn:test:EchoLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><xacml-context:AttributeValue><xsl:value-of select="$echoStringLength"/></xacml-context:AttributeValue>

</xacml-context:Attribute>

Emit subject-ID<xsl:when test="$au-method = 'saml'">

<xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"DataType="http://www.w3.org/2001/XMLSchema#string"><xacml-context:AttributeValue><xsl:value-of select="$au-credential"/></xacml-context:AttributeValue></xacml-context:Attribute>

</xsl:when>

Emit SAML Asserted values<xsl:for-each select="./assertion//*[local-name()='Attribute']">

<xsl:variable name="name" select="@Name"/><xsl:variable name="name-format" select="@NameFormat"/><xsl:variable name="value" select="./*[local-name()='AttributeValue']"/><xacml-context:Attribute>

<xsl:attribute name="AttributeId"><xsl:value-of select="$name"/>

</xsl:attribute><xsl:attribute name="DataType">

<xsl:value-of select="$name-format"/></xsl:attribute><xacml-context:AttributeValue><xsl:value-of select="$value"/></xacml-context:AttributeValue>

</xacml-context:Attribute></xsl:for-each>

Date post:	10-Sep-2014
Category:	Documents
Upload:	sdonthy
View:	288 times
Download:	5 times

WAS 70 Reality of SOA Security

Documents