Identity patterns and anit-patterns in real world web services

•

3 j'aime•1,786 vues

The document discusses various identity and security patterns for web services, including direct authentication, brokered authentication, data origin authentication, trusted subsystem, and message interceptor gateway patterns. It describes problems that each pattern addresses, such as unauthenticated access, delegating authentication to external users, message manipulation, controlling downstream access, and centralized security enforcement. Implementation examples including WS-Security, WS-Trust, and open standards are also provided.

Technologie

Identity patterns & anti-patterns
in real world web services

~ By Prabath Siriwardena, WSO2

Transport Level Security
Vs
Message Level Security

<wsse:UsernameToken wsu:Id="Example-1">
<wsse:Username> ... </wsse:Username>
<wsse:Password Type="..."> ... </wsse:Password>
<wsse:Nonce EncodingType="..."> ... </wsse:Nonce>
<wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>

Direct Authentication Pattern

Problem :

How to avoid anonymous users accessing a web
service

Direct Authentication Pattern

Solution :

The web service acts as an authentication
service to validate credentials from the
client.

Direct Authentication Pattern

Implementation(s) :

UsernameToken with WSSE
BasicAuth with TLS

Exception Shielding Pattern

Problem :

Exception data output by a service
containing implementation details could
compromise the security of the service

Exception Shielding Pattern

Solution :

Potentially unsafe exception data is
"sanitized" by replacing it with exception
data that is safe by design before it is
made available to consumers

Direct Authentication
needs us to maintain user
credentials internally

We don’t have the
credential of external
users

Direct Authentication
doesn’t solve our problem

Can’t we delegate
Authentication to the
External Domain itself

Brokered Authentication Pattern

Problem :

How to avoid anonymous users accessing a web
service and give access to users outside our
domain, where we don’t have the users’
credentials to validate

Brokered Authentication Pattern

Solution :

Delegate authentication to a third party who
knows to validate user credentials and the
service trusts the assertions provided by
that particular third party

Brokered Authentication Pattern

Implementation(s) :

WS-Trust
OpenID, Information Cards, OAuth

How do we know the legitimacy
of the third party
Security Token Service ?

Data Origin Authentication Pattern

Problem :

How do we prevent an attacker from
manipulating messages in transit between a
client and a web service.

Data Origin Authentication Pattern

Solution :

Validate message integrity and non-
repudiation with message signature

Our services access downstream
resources with the
authenticated user’s credentials

This could bring security risks –
and make down stream resources
vulnerable to attacks

How about controlling user
access to the down stream resources

Service acts as the client –
with service’s credentials

Trusted Sub System Pattern

Problem :

A consumer that accesses backend resources
of a service directly can compromise the
integrity of the resources and can further
lead to undesirable form of implementation
coupling.

Trusted Sub System Pattern

Solution :

The service is designed to use it’s own
credentials for authentication and
authorization with backend resources on
behalf of the consumers

Message Interceptor Gateway Pattern

Problem :

Different services deployed could have
different security policies and a security
vulnerability of the weakest service could
be exploited to create loop holes in entire
system.

Message Interceptor Gateway Pattern

Solution :

Provides a single entry point and allows
centralization of security enforcement for
incoming and outgoing messages.

http://blog.facileLogin.com
http://RampartFAQ.com
prabath@apache.org
prabath@wso2.com

Recommandé

NYMBLE BLOCKINGVatsalya Eranky

PresentazDavide Gimondo

Presenta zcondemoDavide Gimondo

Building a new feature with microservice while moving away from monolithic ap...Adrien Vaschalde

Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar

Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41

Session management Dhruv Aggarwal

Presentation on third party authentication, virtual private networking (vpn),...Sushil Subedi

Recommandé

NYMBLE BLOCKINGVatsalya Eranky

PresentazDavide Gimondo

Presenta zcondemoDavide Gimondo

Building a new feature with microservice while moving away from monolithic ap...Adrien Vaschalde

Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar

Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41

Session management Dhruv Aggarwal

Presentation on third party authentication, virtual private networking (vpn),...Sushil Subedi

Web services security_in_wse_3_pptHarshavardhan Achrekar

Authentication ModelsRaj Chanchal

Module 13 (web based password cracking techniques)Wail Hassan

E-Business security Surendhranatha Reddy

Security analysis of a single sign on mechanism for distributed computer netw...JPINFOTECH JAYAPRAKASH

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2

Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS

JAVA 2013 IEEE NETWORKSECURITY PROJECT Security analysis of a single sign on ...IEEEGLOBALSOFTTECHNOLOGIES

AbedElilahElmahmoumP1.pptxAbedElElahElMHMOOM

What is Advanced Web Servicels.pdfAngelicaPantaleon3

Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services

Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy

PresentationLaxman Kumar

encryption pptShiva Shiva

How to Find and Fix Broken Authentication VulnerabilityAshKhan85

Web Application Security Tipstcellsn

Mutual Authentication For Wireless Communicationmanish kumar

Vinod Rebelloprensacespi

6.designing secure and efficient biometric based secure access mechanism for ...Venkat Projects

Microservices Security LandscapePrabath Siriwardena

Cloud Native Identity with SPIFFEPrabath Siriwardena

Contenu connexe

Similaire à Identity patterns and anit-patterns in real world web services

Web services security_in_wse_3_pptHarshavardhan Achrekar

Authentication ModelsRaj Chanchal

Module 13 (web based password cracking techniques)Wail Hassan

E-Business security Surendhranatha Reddy

Security analysis of a single sign on mechanism for distributed computer netw...JPINFOTECH JAYAPRAKASH

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2

Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS

JAVA 2013 IEEE NETWORKSECURITY PROJECT Security analysis of a single sign on ...IEEEGLOBALSOFTTECHNOLOGIES

AbedElilahElmahmoumP1.pptxAbedElElahElMHMOOM

What is Advanced Web Servicels.pdfAngelicaPantaleon3

Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services

Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy

PresentationLaxman Kumar

encryption pptShiva Shiva

How to Find and Fix Broken Authentication VulnerabilityAshKhan85

Web Application Security Tipstcellsn

Mutual Authentication For Wireless Communicationmanish kumar

Vinod Rebelloprensacespi

6.designing secure and efficient biometric based secure access mechanism for ...Venkat Projects

Similaire à Identity patterns and anit-patterns in real world web services (20)

Web services security_in_wse_3_ppt

Authentication Models

Module 13 (web based password cracking techniques)

E-Business security

Security analysis of a single sign on mechanism for distributed computer netw...

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...

Security analysis of a single sign on mechanism for distributed computer netw...

JAVA 2013 IEEE NETWORKSECURITY PROJECT Security analysis of a single sign on ...

AbedElilahElmahmoumP1.pptx

What is Advanced Web Servicels.pdf

Managing Identity and Securing Your Mobile and Web Applications with Amazon C...

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Presentation

encryption ppt

How to Find and Fix Broken Authentication Vulnerability

Web Application Security Tips

Mutual Authentication For Wireless Communication

Vinod Rebello

6.designing secure and efficient biometric based secure access mechanism for ...

Plus de Prabath Siriwardena

Microservices Security LandscapePrabath Siriwardena

Cloud Native Identity with SPIFFEPrabath Siriwardena

API Security Best Practices & GuidelinesPrabath Siriwardena

Identity is Eating the World!Prabath Siriwardena

Microservices Security LandscapePrabath Siriwardena

OAuth 2.0 Threat LandscapePrabath Siriwardena

GDPR for Identity ArchitectsPrabath Siriwardena

Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena

OAuth 2.0 Threat LandscapesPrabath Siriwardena

OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena

Identity Management for Web Application DevelopersPrabath Siriwardena

API Security Best Practices & GuidelinesPrabath Siriwardena

Open Standards in Identity ManagementPrabath Siriwardena

Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena

API Security : Patterns and PracticesPrabath Siriwardena

Best Practices in Building an API Security EcosystemPrabath Siriwardena

Connected Identity : The Role of the Identity BusPrabath Siriwardena

Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena

The Evolution of Internet IdentityPrabath Siriwardena

Next-Gen Apps with IoT and CloudPrabath Siriwardena

Plus de Prabath Siriwardena (20)

Microservices Security Landscape

Cloud Native Identity with SPIFFE

API Security Best Practices & Guidelines

Identity is Eating the World!

Microservices Security Landscape

OAuth 2.0 Threat Landscape

GDPR for Identity Architects

Blockchain-based Solutions for Identity & Access Management

OAuth 2.0 Threat Landscapes

OAuth 2.0 for Web and Native (Mobile) App Developers

Identity Management for Web Application Developers

API Security Best Practices & Guidelines

Open Standards in Identity Management

Securing Single-Page Applications with OAuth 2.0

API Security : Patterns and Practices

Best Practices in Building an API Security Ecosystem

Connected Identity : The Role of the Identity Bus

Connected Identity : Benefits, Risks & Challenges

The Evolution of Internet Identity

Next-Gen Apps with IoT and Cloud

Dernier

What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe

Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays

Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro

unit 4 immunoblotting technique complete.pptxBkGupta21

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3

The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech

Advanced Computer Architecture – An IntroductionDilum Bandara

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

From Family Reminiscence to Scholarly Archive .Alan Dix

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Gen AI in Business - Global Trends Report 2024.pdfAddepto

Dernier (20)

What is DBT - The Ultimate Data Build Tool.pdf

SIP trunking in Janus @ Kamailio World 2024

How AI, OpenAI, and ChatGPT impact business and software.

Are Multi-Cloud and Serverless Good or Bad?

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack

Unraveling Multimodality with Large Language Models.pdf

unit 4 immunoblotting technique complete.pptx

Developer Data Modeling Mistakes: From Postgres to NoSQL

Moving Beyond Passwords: FIDO Paris Seminar.pdf

The Ultimate Guide to Choosing WordPress Pros and Cons

Advanced Computer Architecture – An Introduction

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

From Family Reminiscence to Scholarly Archive .

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

"Debugging python applications inside k8s environment", Andrii Soldatenko

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Gen AI in Business - Global Trends Report 2024.pdf

Identity patterns and anit-patterns in real world web services

1. Identity patterns & anti-patterns in real world web services ~ By Prabath Siriwardena, WSO2

10.

11.

12.

13. Proof of identity

14. Something you know…

15. Something you have…

16. Something you are…

17. Multifactor Authentication

18.

19.

20. Anyone can access my Service 

21.

22.

23. WSDL WSDL WSDL

24. WSDL WSDL WSDL

25. Transport Level Security Vs Message Level Security

26. Transport Level Security

27. Message Level Security

28. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>

29. BasicAuth with Transport Level Security

30. Direct Authentication Pattern Problem : How to avoid anonymous users accessing a web service

31. Direct Authentication Pattern Solution : The web service acts as an authentication service to validate credentials from the client.

32. Direct Authentication Pattern Implementation(s) : UsernameToken with WSSE BasicAuth with TLS

33.

34.

35. Exception Shielding Pattern Problem : Exception data output by a service containing implementation details could compromise the security of the service

36. Exception Shielding Pattern Solution : Potentially unsafe exception data is "sanitized" by replacing it with exception data that is safe by design before it is made available to consumers

37. Users OUT SIDE Our Domain Need ACCESS

38. Direct Authentication needs us to maintain user credentials internally

39. We don’t have the credential of external users

40. Direct Authentication doesn’t solve our problem

41. Can’t we delegate Authentication to the External Domain itself

42.

43.

44.

45.

46. WS-TRUST

47. Brokered Authentication Pattern Problem : How to avoid anonymous users accessing a web service and give access to users outside our domain, where we don’t have the users’ credentials to validate

48. Brokered Authentication Pattern Solution : Delegate authentication to a third party who knows to validate user credentials and the service trusts the assertions provided by that particular third party

49. Brokered Authentication Pattern Implementation(s) : WS-Trust OpenID, Information Cards, OAuth

50. How do we know the legitimacy of the third party Security Token Service ?

51.

52. Data Origin Authentication Pattern Problem : How do we prevent an attacker from manipulating messages in transit between a client and a web service.

53. Data Origin Authentication Pattern Solution : Validate message integrity and non- repudiation with message signature

54. Our services access downstream resources with the authenticated user’s credentials

55. This could bring security risks – and make down stream resources vulnerable to attacks

56. How about controlling user access to the down stream resources

57. Service acts as the client – with service’s credentials

58.

59. Trusted Sub System Pattern Problem : A consumer that accesses backend resources of a service directly can compromise the integrity of the resources and can further lead to undesirable form of implementation coupling.

60. Trusted Sub System Pattern Solution : The service is designed to use it’s own credentials for authentication and authorization with backend resources on behalf of the consumers

61. Patterns @ Work…

62.

63.

64. Message Interceptor Gateway Pattern Problem : Different services deployed could have different security policies and a security vulnerability of the weakest service could be exploited to create loop holes in entire system.

65. Message Interceptor Gateway Pattern Solution : Provides a single entry point and allows centralization of security enforcement for incoming and outgoing messages.

66. http://blog.facileLogin.com http://RampartFAQ.com prabath@apache.org prabath@wso2.com

67. Thank You…!!!