Oracle® Application Server Web Services Security Guide 10g (10.1.3.5.0) Part Number E13983-01 |
|
|
View PDF |
This appendix describes the security threats that are present in today's Web services environment, and how Oracle Application Server Web Services Security responds to these threats. The descriptions of the security threats are provided by the Web Services Interoperability (WS-I) Organization's document Security Challenges, Threats and Countermeasures Version 1.0. This document identifies the following information:
the security challenges: these are the goals or features that help you decide specific security scenarios.
the threats that prevent the fulfillment of each goal.
the countermeasures you can employ to guard against each threat.
the possible usage scenarios and the security challenges and threats that might apply to each.
See Also:
For more information on these security mechanisms and threats, see Security Challenges, Threats and Countermeasures Version 1.0 at the following Web site.
http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf
.
This appendix identifies how the functionality in OracleAS Web Services can be used to address the threats described in the Security Challenges document. For example, Table B-1 describes message-level security threats and Table B-2 describes transport-level security threats. These tables also identify possible solutions to the security threats and whether you can implement the solutions with Application Server Control or Oracle JDeveloper. The tables also provide a roadmap to where you can find more information on the solutions in the documentation.
These tables use tags, such as SC1, SA1, and BISP1, to indicate message and transport layer security mechanisms. These tags are briefly described in Table B-3. These tables also use threat IDs, such as T-01 and T-02 to indicate types of security threats. These threats are briefly described in Table B-4.
Table B-1 Message Layer Security Solutions
Solution | Threat Number and Name | Supported Solutions | Application Server Control Support | Oracle JDeveloper Support | Where Documented |
---|---|---|---|---|---|
Sender Authentication Username with clear text password or digest password with encrypted password/digest (SA1) |
T-05: Principal Spoofing |
SA1 |
Inbound configuration: (verifying username token) is supported. Outbound configuration: (username token), Application Server Control does not support encrypting or decrypting the username token. |
Inbound configuration: (verifying username token) is supported. Outbound configuration: (username token with clear text/digest password) is supported. Encrypting and decrypting the username token are manual steps |
"Encrypting Elements of a SOAP Message" and "Decrypting Elements of a SOAP Message" provides information on encrypting and decrypting the username token. "Assembling a Secure Web Service" provides bottom up and top down examples which use username token. |
Sender Authentication Username with clear text password or digest password (SA2) |
T-05: Principal Spoofing |
SA2 |
Inbound configuration is supported by the |
Both inbound and outbound configuration are supported. |
|
Message Integrity, Sender Authentication XML Digital Signature (SI1) with:
|
T-01: Message Alteration T-05: Principal Spoofing |
SI1, SA2, SA3 and SA5 are supportedSA6 is not supported. |
Inbound policy for SI1 (verify signature) is supported through Application Server Control. You must configure an instance/port level keystore with a signature key. Inbound policies for SA2, SA3 and SA5 are supported through Application Server Control. Outbound policies for SA2, SA3 and SA5 are not supported through Application Server Control. |
Both Inbound and Outbound policies for SI1, SA2, SA3, SA5 are supported through Oracle JDeveloper. You must configure a key store with a signature key. |
Chapter 2, "Configuring Web Service Security" "Assembling Security into a Web Service Bottom Up" describes the bottom up XML Signature and Username token cases. |
Message Confidentiality, Sender Authentication XML Encryption (SC1) with:
|
T-02: Message Confidentiality T-05: Principal Spoofing |
SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported. |
Inbound policy for SC1 is supported through Application Server Control. You must configure an instance/port- level keystore with an encryption key. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SA2, SA3, SA5, and SC1 are not supported through Application Server Control. |
Both Inbound and Outbound policies for SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. You must configure an instance/port-level keystore with an encryption key. |
Configuring security tokens and encryption are covered in Chapter 3, "Administering Web Services Security" "Assembling Security into a Web Service Bottom Up" describes the bottom up XML Encryption case. |
One-Way AnyNode – AnyNode Message Confidentiality, Integrity, Sender Authentication XML Digital Signature (SI1) with:
|
T-01: Message Alteration T-02: Confidentiality T-05: Principal Spoofing T-06: Forged claims |
SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported |
Inbound policies for SI1 and SC1 are supported through Application Server Control. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SC1, SC2, SA2, SA3, and SA5 are not supported through Application Server Control |
Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. You must configure a keystore with signature and encryption keys. |
Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security" |
Two-Way AnyNode – AnyNode Message Confidentiality, Integrity, Sender Authentication XML Digital Signature (SI1) with:
|
T-01: Message Alteration T-02: Message Confidentiality T-05: Principal Spoofing T-06: Forged claims |
SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported |
Inbound policies for SI1 and SC1 are supported through Application Server Control. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SI1, SC1, SA2, SA3, and SA5 are not supported through Application Server Control |
Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, SA5 are supported through Oracle JDeveloper. |
Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security" |
Hybrid: Transport Integrity and Confidentiality, AnyNode-AnyNode Message Confidentiality, Integrity, Mutual Authentication SSL/TLS (BISP1) with XML Signature (SI1) with:
|
T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay |
BISP, BC1, SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported |
Inbound policies for SI1 and SC1 are supported through Application Server Control.Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control.Outbound policies for SC1, SI1, SA2, SA3, SA5, BISP, and BC1 are not supported through Application Server Control |
Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper.BISP and BC1 are not supported through Oracle JDeveloper. |
Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security" For the manual steps to configure SSL, see the Oracle Containers for J2EE Security Guide |
Hybrid: Transport Integrity and Confidentiality, Mutual Authentication AnyNode-AnyNode Message Confidentiality, Integrity, Mutual Authentication SSL/TLS (BISP) with SSL/TLS and client authentication (BC1) with:
|
T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay |
BISP, SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported |
Inbound policies for SI1 and SC1 are supported through Application Server Control.Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control.Outbound policies for SI1, SC1, SA2, SA3, SA5, and BISP are not supported through Application Server Control |
Both Inbound and Outbound policy for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. BISP is not supported through Oracle JDeveloper |
Manual steps for configuring SSL are described in the Oracle Containers for J2EE Security Guide. |
Table B-2 describes the security threats that can impact the transport layer and the possible solutions that can be implemented under OracleAS Web Services Security.
Table B-2 Transport Layer Security Solutions
Solution | Threat Number and Name | Solutions Supported | Application Server Control Support | Oracle JDeveloper Support | Where Documented |
---|---|---|---|---|---|
Consumer Authentication
|
T-05: Principal Spoofing |
Yes |
No |
No |
"Adding Transport-Level Security to a Web Service". See also, the Oracle Containers for J2EE Security Guide. |
Transport Integrity, Confidentiality, Provider Authentication SSL/TLS (BISP1) |
T-01: Message Alteration T-02: Message Confidentiality |
Yes |
No |
No |
"Adding Transport-Level Security to a Web Service". See also the Oracle Containers for J2EE Security Guide. |
Transport Integrity, Confidentiality, Mutual Authentication SSL/TLS (BISP1) with SSL/TLS with client authentication (BC1) |
T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay |
Yes |
No |
No |
"Adding Transport-Level Security to a Web Service". See also the Oracle Containers for J2EE Security Guide. |
Transport Integrity, Confidentiality, Mutual Authentication with Enhanced Consumer Authentication SSL/TLS (BISP1) with HTTP Basic/ HTTP Digest Authentication (BC5) |
T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay |
Yes |
No |
No |
"Adding Transport-Level Security to a Web Service". See also, the Oracle Containers for J2EE Security Guide. |
Table B-3 provides a brief description of the tags that represent message- and transport-layer security mechanisms described in Table B-1 and Table B-2.
Table B-3 Unique IDs for Message and Transport Layer Security Mechanisms
Tag | Description |
---|---|
BC1 |
SSL/TLS with client authentication |
BC2 |
HTTP basic |
BC3 |
HTTP digest |
BC4 |
HTTP attributes |
BC5 |
HTTP basic or HTTP digest |
BISP1 |
SSL/TSL |
SA1 |
XML encryption, username token with either password or digest |
SA2 |
username and either password or digest |
SA3 |
X.509 certificate |
SA5 |
SAML token |
SA6 |
REL token |
SC1 |
XML encryption |
SI1 |
XML digital signature |
Table B-4 provides a brief description of the security threat IDs and names used in Table B-1 and Table B-2.
Table B-4 Security Threats Addressed by OracleAS Web Services Security
Threat ID | Threat Name | Description |
---|---|---|
T-01 |
Message Alteration |
The message information is altered by inserting, removing or otherwise modifying information created by the originator of the information and mistaken by the receiver as being the originators intention. |
T-02 |
Confidentiality |
Information within the message is viewable by unintended and unauthorized participants. |
T-03 |
Falsified Messages |
Fake messages are constructed and sent to a receiver who believes them to have come from a party other than the sender. |
T-04 |
Man in the Middle |
A party poses as the other participant to the real sender and receiver in order to fool both participants (for example, the attacker is able to downgrade the level of cryptography used to secure the message). |
T-05 |
Principal Spoofing |
A message is sent which appears to be from another principal. |
T-06 |
Forged claims |
A message is sent in which the security claims are forged in an effort to gain access to otherwise unauthorized information (for example, a security token is used which wasn't really issued by the specified authority). |
T-07 |
Replay of Message Parts |
A message is sent which includes portions of another message in an effort to gain access to otherwise unauthorized information or to cause the receiver to take some action. |
T-08 |
Replay |
A whole message is resent by an attacker. |
T-09 |
Denial of Service |
Amplifier Attack: attacker does a small amount of work and forces system under attack to do a large amount of work. |