Skip to main content

Basic Enterprise Web Service Security Concepts


In the (near) past, security was handled by the user interface.  The user interface acted as the sole entry point to the application, and therefore all application security was oriented around user permissions.

Added web services is like having great locks on your front door but opening all the windows in your house.  Lots of entry points, each of which needs security.

There’s a few basic enterprise web service security concepts that need to be understood to understand web service security.

Web service security may operate from a user context, an application context, or both.

User Context: Application 1 includes in the (web) service request to application 2 information about the user who performed an action causing the request. Application 2 then decides if the service is permitted based on the user requesting it in application 1.

This requires applications 1 and 2 to have a common user security framework (application 2 has to recognize application 1’s user and be able to check if that user is authorized to request the service operation being requested.)

User Validation – How can application 2 know that the user sent by application 1 has been validated by application 1? One answer would be to send through the user’s password, but application 1 rarely has access to the password (as it may be under the control of an external security system such as Microsoft Active Directory), and sending a password in a message has it’s own security risks.

A solution frequently select is Single Sign On software. This is integrated into both applications 1 and 2, and when the user logs in gives the application a “user token” instead of user information. This user token can then be passed in the message, and application 2 can simply ask the Single Sign On utility if the user token is valid and active (is the user still logged in).

If applications 1 and 2 have no common user context, no shared user base or shared security source, then user context security can’t be used.  Rather, the best that can be done is application 1 can pass along the name or ID of the user who performed a function resulting in the web service request, and application 2 can store it (for logging or auditing purposes), but can’t check any sort of permissions (as the user is unknown to application 2).

Application Context: Is application 1 allowed to activate a particular service in application 2? Is application 1’s test environment allowed to activate that service in application 2’s production environment? (probably not.)

Application context is about whether the source of the request (the source from a program / code / environment perspective) is allowed to request the action being asked from the destination (program and environment).

Enforcement: Some ESB’s (Enterprise Service Buses) have internal features to enforce some of this type of security. (Some require add on modules.) However, even if the ESB is enforcing this type of security, the end points of the requests (the service providing systems) must also be protected and have service security enforcement. Otherwise, what is to stop a developer (or hacker that gets into the internal network) from directly accessing a product business web service from a workstation or laptop? (Nothing.) Further, services are intentionally designed to be easy to use and understand (therefore security through obscurity may no longer help.)

Complete enforcement is best done using SOA security tools. These will either include an agent on each end point or route all services through security enforcement gateways (with the end points only accepting requests via the gateways).  It is possible to create your own security enforcement function in front of services (such as with IBM Websphere where a “handler” can be inserted in the Web Service engine), but is generally not recommended (as you would have to recreate it for each technology exposing services – which the vendor’s provide.)

Agent Based Security Model

clip_image002

 

Gateway Based Service Security Model

clip_image004

Popular posts from this blog

Integration Spaghetti™

  I’ve been using the term Integration Spaghetti™ for the past 9 years or so to describe what happens as systems connectivity increases and increases to the point of … unmanageability, indeterminate impact, or just generally a big mess.  A standard line of mine is “moving from spaghetti code to spaghetti connections is not an improvement”. (A standard “point to point connection mess” slide, by enterprise architect Jerry Foster from 2001.) In the past few days I’ve been meeting with a series of IT managers at a large customer and have come up with a revised definition for Integration Spaghetti™ : Integration Spaghetti™ is when the connectivity to/from an application is so complex that everyone is afraid of touching it.  An application with such spaghetti becomes nearly impossible to replace.  Estimates of change impact to the application are frequently wrong by orders of magnitude.  Interruption in the integration functioning are always a major disaster – both in terms of th
Read more

Solving Integration Chaos - Past Approaches

A U.S. Fortune 50's systems interconnect map for 1 division, "core systems only". Integration patterns began changing 15 years ago. Several early attempts were made to solve the increasing problem of the widening need for integration… Enterprise Java Beans (J2EE / EJB's) attempted to make independent callable codelets. Coupling was too tight, the technology too platform specific. Remote Method Invocation (Java / RMI) attempted to make anything independently callable, but again was too platform specific and a very tightly coupled protocol. Similarly on the Microsoft side, DCOM & COM+ attempted to make anything independently and remotely callable. However, as with RMI the approach was extremely platform and vendor specific, and very tightly coupled. MQ created a reliable independent messaging paradigm, but the cost and complexity of operation made it prohibitive for most projects and all but the largest of Enterprise IT shops which could devote a focused technology
Read more

From Spaghetti Code to Spaghetti Connections

Twenty five years ago my boss handed me the primary billing program and described a series of new features needed. The program was about 4 years old and had been worked on by 5 different programmers. It had an original design model, but between all the modifications, bug fixes, patches and quick new features thrown in, the original design pattern was impossible to discern. Any pattern was impossible to discern. It had become, to quote what’s titled the most common architecture pattern of today, ‘a big ball of mud’. After studying the program for several days, I informed my boss the program was untouchable. The effort to make anything more than a minor adjustment carried such a risk, as the impact could only be guessed at, that it was easier and less risky to rewrite it from scratch. If they had considered the future impact, they never would have let a key program degenerate that way. They would have invested the extra effort to maintain it’s design, document it property, and consider
Read more