improving performance for improving performance for
play

Improving performance for Improving performance for security - PowerPoint PPT Presentation

Jan 18, 2024 •50 likes •490 views

Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm higeartaigh - Dr. Colm higeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0

  1. Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm Ó hÉigeartaigh - Dr. Colm Ó hÉigeartaigh

  2. Agenda • Introduction to Apache CXF • WS-Security in CXF 3.0.0 • Securing Attachments in CXF 3.0.0 • RS-Security in CXF 3.0.0 • Some empirical data • Using Single Sign-On (SSO)

  3. Speaker Introduction Apache CXF Apache Syncope Apache Santuario Apache Webservices

  4. Introduction to Apache CXF Introduction to Apache CXF

  5. Apache CXF • One of the leading web service frameworks. • Supports JAX-WS and JAX-RS frontend APIs • Protocols: SOAP, XML/HTTP, RESTful HTTP, CORBA, etc. • Transports: HTTP, JMS, JBI, etc. • Comprehensive WS standards support. • Security Services: STS, XKMS, Fediz. • Strong OSGi support.

  6. Apache CXF Stats • Founded in 2006 as a merger of Celtix + XFire. • Apache TLP releases go from 2.0.6 to the current 2.7.10 / 3.0.0-milestone2. • 33 committers, 22 of whom are PMC members. • Embedded in other Apache projects such as Apache Syncope, Apache Camel, Apache T omEE+. • Used in industry products such as JBoss Web Services, Jboss Fuse, T alend ESB, etc.

  7. JAX-WS • A service is typically defjned by a WSDL document • Java code generated by “WSDL2Java” functionality • Alternatively, can start with code + use annotations • T ypically a SOAP binding is used over HTTP • SOAP Body contains service payload • SOAP Header contains service metadata

  8. SOAP Envelope

  9. JAX-RS • Web Services using Representational State Transfer (REST) paradigm. • Can use WADL to defjne the service, but typically code + annotations are used • Messages can be marshalled/unmarshalled to/from Java Objects using JAXB • Messages in XML/JSON format.

  10. Annotations Example

  11. WS-Security in CXF 3.0.0 WS-Security in CXF 3.0.0

  12. WS-Security • A set of OASIS specifjcations to secure SOAP Messages • Message Confjdentiality (XML Encryption) • Message Integrity (XML Signature) • Client Authentication via tokens (Username T okens, Kerberos T okens, SAML T okens, Asymmetric Signature Certifjcates/Public Keys).

  13. Secured SOAP Envelope

  14. WS-SecurityPolicy • WS-SecurityPolicy can be used to confjgure WS-Security via a WS-Policy expression. • By embedding the policy in a WSDL, a service can publish security requirements to a client • Client/Service only need to confjgure usernames, passwords, keys, etc. • Requests are validated against the set of applicable policies

  15. Example

  16. WS-Security @ Apache • Apache Santuario: XML Signature + XML Encryption • Apache WSS4J: WS-Security layer built on top of Santuario • Apache CXF / Apache Axis/Rampart: Web Services stacks that include WSS4J – WS-SecurityPolicy support, WS-Trust, WS-SecureConveration, etc.

  17. A familiar problem... 80 70 60 Time per 1000 requests (s) 50 Plaintext 40 Signed + Encrypted 30 20 10 0 Small Msg Large Msg

  18. Security is Expensive • There is a large performance penalty associated with using WS-Security. • This is partly due to the work involved in signing and encrypting (in particular using XML). • However, a large reason is due to the fact that up to now, WS-Security processing requires DOM. • This requires a lot of memory for large requests • Also, a StAX-enabled stack such as CXF needs to convert the request into DOM

  19. Streaming WS-Security • A WS-Security implementation based on StAX would solve the problem of large memory requirements and having to convert to DOM. • However, there are huge diffjculties with porting things like XML canonicalization to use a streaming approach. • 2011: Problem solved by Marc Giger donating his SWSSF project to Apache, a streaming WS-Security prototype based on WSS4J.

  20. SWSSF @ Apache • Rather than create a new project, SWSSF has been integrated into the existing projects. • The XML Signature + Encryption parts have been added to Apache Santuario 2.0.0. • The WS-Security parts have been added to Apache WSS4J 2.0.0. • WSS4J now has two WS-Security stacks, one based on DOM and one on StAX.

  21. CXF Integration • The new StAX code is fully integrated into CXF • It uses the exact same confjguration as for the DOM code • New interceptors: WSS4JStax(Out|In)Interceptor • Works with WS-SecurityPolicy - StAX functionality enabled by a boolean confjguration property (“ws-security.enable.streaming) • DOM functionality is enabled by default for WS-SecurityPolicy

  22. Real-time validation • Apache CXF parses the set of WSS4J results + evaluates the set of applicable WS-SecurityPolicy policies against them. • The new StAX implementation does real-time validation of the policies while it is evaluating a request. • SecurityEvents are generated during processing • This has performance gains and is more resistant to Denial of Service (DoS) style attacks.

  23. Performance • The StAX WS-Security stack uses far less memory for large requests (see Empirical Data section) • It should be more effjcient for a service handling many simultaneous requests as a result • It performs better in some scenarios than the DOM stack, and worse in others • Profjling and future optimisations will hopefully improve performance to a point where we can switch the default stack in CXF

  24. What's not supported? • XPath evaluation • “Strict” Layout validation • Policy combinations that require two separate Encryption actions (EncryptBeforeSigning + EncryptSignature) • Policy combinations that require two separate Signature actions (e.g. Endorsing tokens with (a)symmetric bindings – with some exceptions).

  25. WSS4J 2.0.0 • Lots of new features apart from StAX implementation • New consolidated WS-SecurityPolicy model • Support for securing message attachments • Support for caching based on EhCache • Support for encrypting passwords in Crypto properties fjles using Jasypt

  26. Securing attachments in CXF Securing attachments in CXF 3.0.0 3.0.0

  27. Securing attachments • Signing/encrypting message attachments not supported prior to CXF 3.0.0. • WSS4J 2.0.0 supports the WS-Security SOAP Messages with Attachments Profjle. • If a “<sp:Attachments />” policy is used as a (Signed|Encrypted)Parts in CXF 3.0.0, all attachments are automatically secured. • There are also policies to only sign the content or to include the attachment headers.

  28. Example

  29. Using MTOM • If MTOM is enabled with WS-Security, attachments are inlined before the SOAP Body is secured. • Signing/encrypting using MTOM is targeted for CXF 3.0.1. • However, the cost associated with BASE-64 encoding the attachment + inlining it for signature digest calculation may make the SwA approach more effjcient. • CXF 3.0.0 has a minor effjciency gain not to inline the attachments with MTOM for most T ransportBinding use-cases.

  30. RS-Security in CXF 3.0.0 RS-Security in CXF 3.0.0

  31. RS-Security • CXF supports XML Signature + Encryption for JAX-RS clients and endpoints as well. • XML Signature options: Enveloped, Enveloping, Detached. • Separate interceptors for Signature + Encryption, that can be chained. • Using XML Signature with PKI allows an alternative to the standard HTTP/BA over TLS or TLS with client auth.

  32. Sample signed request

  33. Streaming RS-Security • It's possible to use the new StAX functionality for JAX-RS as well in CXF 3.0.0. • New interceptors: XmlSec(Out|In)Interceptor • XML Signature (enveloped only) + Encryption supported. • T estcase: https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-jaxrs-xmlsec

  34. Some empirical data... Some empirical data...

  35. Benchmarks I

  36. Benchmarks II

  37. Benchmarks III

  38. Benchmarks IV

  39. Using Single Sign-On (SSO) Using Single Sign-On (SSO)

  40. Single Sign-On (SSO) • Thus far we have focused on securing messages • However, client authentication can also be expensive... • This is where Single Sign-On (SSO) comes in • The client “signs-on” to a centralized authentication service of some kind, and retains a resulting token for any subsequent authentication (until the user signs out).

  41. SSO using WS-SecConv • A really simple way supported in CXF for SSO is to use WS-SecureConversation. • A rudimentary STS is embedded with a CXF endpoint • The client authenticates and receives a token + negotiated secret. • The client signs the request using the secret + references the token in any subsequent request. • T estcase (SSOT est): https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-shiro

  42. SSO using an STS • CXF ships with an advanced SecurityT okenService (STS) • The client authenticates to the STS + receives a SAML T oken. • The client caches the token + re-uses it until expiry. • Roles/claims are embedded in the token for authorization • T estcase (SSOT est): https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-sts

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improving Performance We want to improve the performance of our computation Unit 17

Improving Performance We want to improve the performance of our computation Unit 17

17.1 17.2 Improving Performance We want to improve the performance of our computation Unit 17 Question: What are we referring to when we say &quot;performance&quot;? __________________ Improving Performance __________________

337 views • 5 slides
The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and Containerization Platforms Davood GhatrehSamani, Chavit Denninart Joseph Bacik Mohsen Amini Salehi High Performance Cloud Computing Lab (HPCC)

408 views • 30 slides
Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble

Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble

Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble University Advisors: Jean-Bernard Stefani, Renaud Lachaize and Vivien Qu ema Sardes (INRIA/LIG) December 2, 2010 Improving the performance of data

693 views • 67 slides
Progress with improving electricity Progress with improving electricity industry performance 1

Progress with improving electricity Progress with improving electricity industry performance 1

Progress with improving electricity Progress with improving electricity industry performance 1 April 2014 There are many sub-markets in electricity 27 x Retail 3 x Hedge Transport 1 x Spot 9 x AS Retail On-going rises in residential

1.17k views • 47 slides
IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS

IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS

IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS CONSTRUCTION ENERGY WITH AND 100 38.5Billion 185,500 COUNTRIES REVENUE IN 2015 EMPLOYEES 2 | Improving industrial performance VINCI ENERGIES: A

347 views • 15 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT

IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT

IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT ARCH=MIPS74KF) Adrin Prez de Castro Embedded Linux Conference April 29 May 1, 2014 WHOAMI aperez@igalia.com +AdrianPerezDeCastro @aperezdc

399 views • 22 slides
Improving Performance and Cost in a Hyperconnected World

Improving Performance and Cost in a Hyperconnected World

Improving Performance and Cost in a Hyperconnected World Georgios Smaragdakis Th The New Internet Google, Akamai, NeJlix Amazon, Global Transit / &quot;Hyper

415 views • 24 slides
Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and

Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and

Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and Prefetch Buffers Norm Jouppi In Context At the time, CPU performance was really beginning to pull away from DRAM performance Increased

329 views • 22 slides
Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence

Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence

Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence at Nestle Todays Agenda Chatbots @ Nestle. Overview, learnings and use cases Improving our chatbots performance Chatbots core :

583 views • 21 slides
Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva

Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva

Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva Tom Kelly ctk21@cam.ac.uk CERN and Laboratory for Communication Engineering University of Cambridge Scalable TCP: Improving Performance in

769 views • 14 slides
Performance Eric McCreath Increasing Word Size A simple way of improving performance is to

Performance Eric McCreath Increasing Word Size A simple way of improving performance is to

Performance Eric McCreath Increasing Word Size A simple way of improving performance is to increase the data word size. This means that each instruction operates on a larger amount of data. This will involve more gates within the CPU. Also it

429 views • 9 slides
Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast

Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast

Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast Background: Spark, RDDs, and Sparks execution model Case study overview Improving our prototype Background Apache Spark Introduced

1.5k views • 128 slides
Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons

Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons

Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons George Teodoro 1 , Rafael Sache&gt;o 1 , Olcay Sertel 2 , Me(n Gurcan 2 , Wagner Meira Jr. 1 , Umit Catalyurek 2 , Renato Ferreira 1 1. Federal

601 views • 23 slides
Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance

Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance

Is A 50,000 litre Lifetime Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance Reductions in replacement rate Reductions in environmental pressures Improvements in public perception of the

550 views • 24 slides
Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia

Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia

Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia &lt;berto@igalia.com&gt; Improving the performance of the qcow2 format Introduction to the qcow2 format Improving the performance of the qcow2 format KVM Forum 2017

640 views • 39 slides
Heb. 11:30, By faith the walls of Jericho fell down after they were encircled for seven days.

Heb. 11:30, By faith the walls of Jericho fell down after they were encircled for seven days.

Heb. 11:30, By faith the walls of Jericho fell down after they were encircled for seven days. Heb. 11:31, By faith the harlot Rahab did not perish with those who did not believe, when she had received the spies with peace. The Book of

692 views • 15 slides
DevOps: Next Nicole Forsgren, PhD DevOps is good for IT performance

DevOps: Next Nicole Forsgren, PhD DevOps is good for IT performance

DevOps: Next Nicole Forsgren, PhD DevOps is good for IT performance and this IT performance translates DevOps is good for organiza5ons That was then 10

625 views • 34 slides
8/23/2016 The Apostle Paul Visits Athens Acts 17:16-34 This city was the intellectual and

8/23/2016 The Apostle Paul Visits Athens Acts 17:16-34 This city was the intellectual and

8/23/2016 The Apostle Paul Visits Athens Acts 17:16-34 This city was the intellectual and cultural capital of the Roman Empire with a renown history and magnificent buildings and monuments. What Caught Paul's Eye? More a missionary than a

188 views • 5 slides
A Common Fallacy in Quantum Mechanics Why Delayed Choice Experiments do NOT imply Retrocausality

A Common Fallacy in Quantum Mechanics Why Delayed Choice Experiments do NOT imply Retrocausality

A Common Fallacy in Quantum Mechanics Why Delayed Choice Experiments do NOT imply Retrocausality David Ellerman UCR May 2012 David Ellerman (UCR) A Common Fallacy in Quantum Mechanics May 2012 1 / 60 Overview: Separation Fallacy There

1.07k views • 60 slides
shelter Psalm 91 Psalm 91:1 NIV Whoever dwells in the shelter of the Most High will rest in

shelter Psalm 91 Psalm 91:1 NIV Whoever dwells in the shelter of the Most High will rest in

shelter Psalm 91 Psalm 91:1 NIV Whoever dwells in the shelter of the Most High will rest in the shadow of the Almighty. Psalm 91:2 NIV I will say of the L ORD , He is my refuge and my fortress, my God, in whom I trust. Psalm 91:3-8

438 views • 8 slides
Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa (krunapon@kku.ac.th)

Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa (krunapon@kku.ac.th)

Apache Axis2: Next Generation Web Services 3/11/2007 Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa (krunapon@kku.ac.th) Department of Computer Engineering Khon Kaen University 1 Agenda What and Why Apache

326 views • 30 slides
Introduction to Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa

Introduction to Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa

Apache Axis2: Next Generation Web Services 1/ 15/ 2007 Introduction to Apache Axis2: Next Generation Web Services Asst. Prof. Dr. Kanda Runapongsa (krunapon@kku.ac.th) Department of Computer Engineering Khon Kaen University 1 Agenda

920 views • 22 slides
CITIZEN PARTICIPATION DISASTER WAIVER REQUIREMENTS CITIZEN PARTICIPATION CDBG CITIZEN

CITIZEN PARTICIPATION DISASTER WAIVER REQUIREMENTS CITIZEN PARTICIPATION CDBG CITIZEN

CITIZEN PARTICIPATION DISASTER WAIVER REQUIREMENTS CITIZEN PARTICIPATION CDBG CITIZEN PARTICIPATION DISASTER WAIVER REQUIREMENTS 1. Publication and Time for Comments 2. Criteria for Determining Changes/Amendments 3. Consideration of Comments

327 views • 29 slides

More recommend