You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2012/12/06 14:40:55 UTC
svn commit: r1417879 - /webservices/wss4j/site/best_practice.html
Author: coheigea
Date: Thu Dec 6 13:40:55 2012
New Revision: 1417879
URL: http://svn.apache.org/viewvc?rev=1417879&view=rev
Log:
Adding new page to site
Added:
webservices/wss4j/site/best_practice.html
Added: webservices/wss4j/site/best_practice.html
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/best_practice.html?rev=1417879&view=auto
==============================================================================
--- webservices/wss4j/site/best_practice.html (added)
+++ webservices/wss4j/site/best_practice.html Thu Dec 6 13:40:55 2012
@@ -0,0 +1,184 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.3 at Nov 26, 2012 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J - </title>
+ <style type="text/css" media="all">
+ @import url("./css/maven-base.css");
+ @import url("./css/maven-theme.css");
+ @import url("./css/site.css");
+ </style>
+ <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20121126" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href="./" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2012-11-26</span>
+ | <span id="projectVersion">Version: 1.6.8</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="using.html" title="Using WSS4J">Using WSS4J</a>
+ </li>
+ <li class="none">
+ <a href="config.html" title="WSS4J Configuration">WSS4J Configuration</a>
+ </li>
+ <li class="none">
+ <a href="topics.html" title="Special Topics">Special Topics</a>
+ </li>
+ <li class="none">
+ <strong>Security Best Practices</strong>
+ </li>
+ <li class="none">
+ <a href="wss4j16.html" title="WSS4J 1.6 Release Notes">WSS4J 1.6 Release Notes</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section"><h2>Security Best Practices<a name="Security_Best_Practices"></a></h2>
+<p>
+This page describes a number of steps which should be taken to ensure that security best
+practices are followed and enforced.
+</p>
+<div class="section"><h3>Upgrade from WSS4J 1.5.x to WSS4J 1.6.x<a name="Upgrade_from_WSS4J_1.5.x_to_WSS4J_1.6.x"></a></h3>
+<p>
+The 1.5.x series of releases of WSS4J is deprecated. You should switch to a 1.6.x release
+as a matter of priority, as this branch contains up to date security fixes. For example,
+WSS4J 1.6.x uses the "secure validation" mode of Apache XML Security for Java, which protects
+against a number of <a class="externalLink" href="http://santuario.apache.org/java150releasenotes.html">attacks</a>
+on XML Signature.
+</p>
+</div>
+<div class="section"><h3>Upgrade to the latest minor release as soon as possible<a name="Upgrade_to_the_latest_minor_release_as_soon_as_possible"></a></h3>
+<p>
+You should always upgrade to the latest minor release in a timely manner, in order to pick up
+security fixes.
+</p>
+</div>
+<div class="section"><h3>Use WS-SecurityPolicy to enforce security requirements<a name="Use_WS-SecurityPolicy_to_enforce_security_requirements"></a></h3>
+<p>
+WSS4J can be used with a web services stack such as Apache CXF or Apache Axis in one of two
+ways: either by specifying security actions directly, or via WS-SecurityPolicy.
+WS-SecurityPolicy is a much richer way of specifying security constraints when processing
+messages, and gives you more "automatic" protection against various attacks then when
+configuring via security actions. See for example, this blog
+<a class="externalLink" href="http://coheigea.blogspot.ie/2012/10/xml-signature-wrapping-attacks-on-web.html">post</a>
+on XML signature wrapping attacks. Therefore, you should always try to use WSS4J with a
+WS-SecurityPolicy requirement.
+</p>
+</div>
+<div class="section"><h3>Use RSA-OAEP for the Key Transport Algorithm<a name="Use_RSA-OAEP_for_the_Key_Transport_Algorithm"></a></h3>
+<p>
+WSS4J supports two key transport algorithms, RSA v1.5 and RSA-OAEP. A number of attacks
+exist on RSA v1.5. Therefore, you should always use RSA-OAEP as the key transport algorithm,
+and enforce this decision. For WS-SecurityPolicy, this means to avoid using any AlgorithmSuite
+that ends with "Rsa15" (e.g. "Basic128Rsa15"). For the direct configuration case, you should
+explicitly configure WSHandlerConstants.ENC_KEY_TRANSPORT ("encryptionKeyTransportAlgorithm")
+to be "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p". This latter point requires the
+web services stack to set this property on the Request (is it known that Apache CXF does this).
+</p>
+</div>
+<div class="section"><h3>Avoid using a cbc Symmetric Encryption Algorithm<a name="Avoid_using_a_cbc_Symmetric_Encryption_Algorithm"></a></h3>
+<p>
+There are some attacks that exploit the "cbc" mode of a Symmetric Encryption Algorithm.
+WSS4J has support for "gcm" mode algorithms as well. This can be specified via
+WSHandlerConstants.ENC_SYM_ALGO ("encryptionSymAlgorithm"), for example to
+"http://www.w3.org/2009/xmlenc11#aes128-gcm".
+</p>
+</div>
+<div class="section"><h3>Use Subject DN regular expressions with chain trust<a name="Use_Subject_DN_regular_expressions_with_chain_trust"></a></h3>
+<p>
+WSS4J 1.6.7 introduced the ability to specify regular expressions on the Subject DN of a
+certificate used for signature validation. It is important to add this constraint when you
+are supporting "chain trust", which is where you are establishing trust in a certificate
+based on the fact that the Issuer of the certificate is in your trust store. Otherwise, any
+certificate of this issuer will pass trust validation. See
+<a class="externalLink" href="http://coheigea.blogspot.ie/2012/08/subject-dn-certificate-constraint.html">here</a>
+for more information.
+</p>
+</div>
+<div class="section"><h3>Specify signature algorithm on receiving side<a name="Specify_signature_algorithm_on_receiving_side"></a></h3>
+<p>
+When not using WS-SecurityPolicy (see point above about favouring the WS-SecurityPolicy
+approach), you should specify a signature algorithm to use on the receiving side. This
+can be done via WSHandlerConstants.SIG_ALGO ("signatureAlgorithm"). Setting this property
+to (e.g.) "http://www.w3.org/2000/09/xmldsig#rsa-sha1" will ensure that the signature
+algorithm allowed is RSA-SHA1 and not (e.g.) HMAC-SHA1. This latter point requires the
+web services stack to set this property on the Request (is it known that Apache CXF does
+this). See also the previous point about setting the key encryption transport algorithm.
+</p>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004-2012
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>