trying to solve IT problems

How I tried to fix certain programming problems, mostly in the java, JEE, JBoss scene, web area and using Ubuntu or Debian linux.

  • Home
  • Geomajas / GIS
  • About
Twitter RSS

Why XML security is broken

Posted on February 8, 2008 by joachim
No CommentsLeave a comment

I am currently also part of the TAS3 European project which is about a “Trusted Architecture for Securely Shared Services“.
This results in very interesting discussions about how to handle security, at which layer etc.
The aim of the project is to assure that the details of who is allowed to do/see/get something is not defined for each person or role as this causes problems. You do not know in advance what your data or service will be used for so this would require a lot of foresight. Another aspect is that the role/id of the client can be insufficient, an indication the purpose for which the service or data is needed is also important to decide whether access is granted or not.

The intended solution for preventing the need for foresight is by using semantic footprints (commitments) to determine when access is either allowed or forbidden. In that case, instead of just comparing role and purpose using id or description, you can do a match on the semantic definition and when they match to a sufficiently high degree, you can draw a conclusion.

As a result of discussions about this, I received a mail from Dave Chadwick about xml security. It contains some interesting links to documents about problems with the ws-* stack and how older (non-XML, specifically SSL) solutions can provide a better solution in many situations. It gives in interesting read.

For more details see :

  • http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
  • Intro from Black Hat USA 2007 conference (presentations and papers below)
  • http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf
  • http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf
  • http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_Handout.pdf
Categories: architecture, semantics
Choosing a web framework for rich internet enterprise application development
xwiki installation on jboss using firebird

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

*

*


question razz sad evil exclaim smile redface biggrin surprised eek confused cool lol mad twisted rolleyes wink idea arrow neutral cry mrgreen

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Recent Posts

    • December BeJUG notes: Let’s make this test suite run faster
    • MagdaGeo sample
    • Geomajas GIS framework 2011 roundup
    • Routing demo at FOSS4G Denver
    • Using UnboundID to authenticate against an LDAP server

  • Recent Comments

    • javaLearner on CXF ws client, dynamic endpoint and loading WSDL from the classpath
    • Geomajas GIS framework 2011 roundup « trying to solve IT problems on Routing demo at FOSS4G Denver
    • Sumant on delete windows service account
    • asme standards on Using Infinispan for high availability, extreme performance, Manik Surtani & Galder ZamarreƱo
    • Terry on Using UnboundID to authenticate against an LDAP server

  • Categories

    • architecture
    • competencies
    • equanda
    • geomajas / GIS
    • java
    • jboss
    • maven
    • semantics
    • tapestry5
    • ubuntu / debian / linux
    • Uncategorized
    • web development
    • web services
© trying to solve IT problems. Proudly Powered by WordPress | Nest Theme by YChong