12.9. Putting the Pieces TogetherWe now show how WS-Security uses these techniques to secure Web service interactions. 12.9.1. The Basic ModelIn its simplest form, WS-Security carries a single signed security token asserting the requester's security information without further protection. The following SOAP envelope shows this: <S:Envelope xmlns:S="..."The WS-Security specification defines a header block called <wsse:Security>, which might contain one or more security tokens. A message might contain zero or more <wsse:Security> headers. If multiple security headers exist, each one must be targeted at a different SOAP Actor or Role. In this case, one security token, the <wsse:UsernameToken> element, asserts the identity of the requester.This form is useful when the sender node and the receiver node are located in a controlled environment, or when the transport or lower layers provide sufficient protection (such as when the connection is protected by TLS or IPSec). One typical usage scenario is to propagate the end user's identity to back-end Web services. In Figure 12-6, the end user's identity is authenticated by the HTTP front-end server using HTTP Basic Authentication. The front-end server then forwards the identity information to the back-end Web service using the username token in WS-Security. Because the front-end server is located in the same security domain as the Web service, the Web service can trust the assertion regarding the end user's identity. Protection during transmission is provided by hop-by-hop SSL/TLS connections. Figure 12-6. Propagating the end user's identity.[View full size image]  <S:Envelope xmlns:S="..."In addition to security tokens, the WS-Security header block, <wsse:Security>, might also contain encryption directives (in the <xenc:ReferenceList> element) and signature directives (in the <ds:Signature> element). Typically, a security token carries an X.509 certificate that is used in conjunction with the signature. The receiving node will process these subelements in the order they appear. In this case, it processes the binary security token and extracts the X.509 certificate within, decrypts the message body that is referenced by the <xenc:ReferenceList> subelement, and verifies the signature contained in the <ds:Signature> element. Consequently, the sender node is responsible for prepending subelements as they are processed during the message's composition. 12.9.2. Model with IntermediaryBecause the <wsse:Security> element is a SOAP header block, it can be targeted at any SOAP receiver that might be on the message path, using the role attribute (or the actor attribute if the envelope uses SOAP 1.1). Accordingly, a SOAP message can contain multiple <wsse:Security> header blocks, but each block must be targeted to a different receiver. The order of these header blocks doesn't matter because the SOAP specification does not specify any particular order when targeting headers to intermediaries. It is possible to have one security header block with no target, which is assumed to apply to the message and all actors. An intermediary node should process header blocks targeted at the node, then remove them, and optionally add new header blocks, before transferring the message to the next node in the message path. A message can still be protected against unauthorized accesses and modifications in the presence of un-trusted intermediaries if the originator signs it with its own signature and encrypts it with the key of the ultimate receiver.In this example, CompanyABC can sign some of the request information it forwards to Fabrikam456, which defines the request for travel. Fabrikam456 can add information to the request as it interacts with the airline and hotel. Because the original request information is signed, the airline and hotel are assured that CompanyABC originated the travel request, and can process Fabrikam456's operations within the context of the original request. CompanyABC's application might encrypt the message also (with keys known to all parties) and send private information to the airline and hotel, which Fabrikam456 will not be able to examine. This information might include account and discount information, contract numbers, and so on. 12.9.3. Trust RelationshipsA security token can be self-generated (as in the case of a username token) or vouched for by a trusted third party. If the message's sender and receiver are both in the same security domain (or have a direct trust relationship), and the communication channel is protected at the transport level, self-generated security tokens can be trusted. Otherwise, security tokens must be vouched for by a third party who is trusted by both the sender and the receiver. In the WS-Security model, this trusted third party is a Security Token Service. WS-Trust defines protocols and standard WSDL interfaces to communicate with an STS.When a security token service is involved in establishing a trust relationship, two interaction models exist. One is the pull model, where the receiver checks the validity of a received security token with the security token service. The other is the push model, where the sender first requests that a token be issued by the security token service.Figure 12-7 shows the pull model of trust establishment. The requester makes a request to the Web service, which is associated with explicit or implied security claims. An example is an identity claim, expressed as a username token along with a password as proof of possession. The Web service then verifies that the password belongs to the claimed requester by consulting with the STS. This corresponds to a directory lookup operation in conventional IT configurations. Figure 12-7. The pull model of trust relationships. Figure 12-8. The push mode of trust relationships. |
لطفا منتظر باشید ...
