improving performance for improving performance for
play

Improving performance for Improving performance for security - PowerPoint PPT Presentation

Jan 18, 2024 •50 likes •490 views

Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm higeartaigh - Dr. Colm higeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0

  1. Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm Ó hÉigeartaigh - Dr. Colm Ó hÉigeartaigh

  2. Agenda • Introduction to Apache CXF • WS-Security in CXF 3.0.0 • Securing Attachments in CXF 3.0.0 • RS-Security in CXF 3.0.0 • Some empirical data • Using Single Sign-On (SSO)

  3. Speaker Introduction Apache CXF Apache Syncope Apache Santuario Apache Webservices

  4. Introduction to Apache CXF Introduction to Apache CXF

  5. Apache CXF • One of the leading web service frameworks. • Supports JAX-WS and JAX-RS frontend APIs • Protocols: SOAP, XML/HTTP, RESTful HTTP, CORBA, etc. • Transports: HTTP, JMS, JBI, etc. • Comprehensive WS standards support. • Security Services: STS, XKMS, Fediz. • Strong OSGi support.

  6. Apache CXF Stats • Founded in 2006 as a merger of Celtix + XFire. • Apache TLP releases go from 2.0.6 to the current 2.7.10 / 3.0.0-milestone2. • 33 committers, 22 of whom are PMC members. • Embedded in other Apache projects such as Apache Syncope, Apache Camel, Apache T omEE+. • Used in industry products such as JBoss Web Services, Jboss Fuse, T alend ESB, etc.

  7. JAX-WS • A service is typically defjned by a WSDL document • Java code generated by “WSDL2Java” functionality • Alternatively, can start with code + use annotations • T ypically a SOAP binding is used over HTTP • SOAP Body contains service payload • SOAP Header contains service metadata

  8. SOAP Envelope

  9. JAX-RS • Web Services using Representational State Transfer (REST) paradigm. • Can use WADL to defjne the service, but typically code + annotations are used • Messages can be marshalled/unmarshalled to/from Java Objects using JAXB • Messages in XML/JSON format.

  10. Annotations Example

  11. WS-Security in CXF 3.0.0 WS-Security in CXF 3.0.0

  12. WS-Security • A set of OASIS specifjcations to secure SOAP Messages • Message Confjdentiality (XML Encryption) • Message Integrity (XML Signature) • Client Authentication via tokens (Username T okens, Kerberos T okens, SAML T okens, Asymmetric Signature Certifjcates/Public Keys).

  13. Secured SOAP Envelope

  14. WS-SecurityPolicy • WS-SecurityPolicy can be used to confjgure WS-Security via a WS-Policy expression. • By embedding the policy in a WSDL, a service can publish security requirements to a client • Client/Service only need to confjgure usernames, passwords, keys, etc. • Requests are validated against the set of applicable policies

  15. Example

  16. WS-Security @ Apache • Apache Santuario: XML Signature + XML Encryption • Apache WSS4J: WS-Security layer built on top of Santuario • Apache CXF / Apache Axis/Rampart: Web Services stacks that include WSS4J – WS-SecurityPolicy support, WS-Trust, WS-SecureConveration, etc.

  17. A familiar problem... 80 70 60 Time per 1000 requests (s) 50 Plaintext 40 Signed + Encrypted 30 20 10 0 Small Msg Large Msg

  18. Security is Expensive • There is a large performance penalty associated with using WS-Security. • This is partly due to the work involved in signing and encrypting (in particular using XML). • However, a large reason is due to the fact that up to now, WS-Security processing requires DOM. • This requires a lot of memory for large requests • Also, a StAX-enabled stack such as CXF needs to convert the request into DOM

  19. Streaming WS-Security • A WS-Security implementation based on StAX would solve the problem of large memory requirements and having to convert to DOM. • However, there are huge diffjculties with porting things like XML canonicalization to use a streaming approach. • 2011: Problem solved by Marc Giger donating his SWSSF project to Apache, a streaming WS-Security prototype based on WSS4J.

  20. SWSSF @ Apache • Rather than create a new project, SWSSF has been integrated into the existing projects. • The XML Signature + Encryption parts have been added to Apache Santuario 2.0.0. • The WS-Security parts have been added to Apache WSS4J 2.0.0. • WSS4J now has two WS-Security stacks, one based on DOM and one on StAX.

  21. CXF Integration • The new StAX code is fully integrated into CXF • It uses the exact same confjguration as for the DOM code • New interceptors: WSS4JStax(Out|In)Interceptor • Works with WS-SecurityPolicy - StAX functionality enabled by a boolean confjguration property (“ws-security.enable.streaming) • DOM functionality is enabled by default for WS-SecurityPolicy

  22. Real-time validation • Apache CXF parses the set of WSS4J results + evaluates the set of applicable WS-SecurityPolicy policies against them. • The new StAX implementation does real-time validation of the policies while it is evaluating a request. • SecurityEvents are generated during processing • This has performance gains and is more resistant to Denial of Service (DoS) style attacks.

  23. Performance • The StAX WS-Security stack uses far less memory for large requests (see Empirical Data section) • It should be more effjcient for a service handling many simultaneous requests as a result • It performs better in some scenarios than the DOM stack, and worse in others • Profjling and future optimisations will hopefully improve performance to a point where we can switch the default stack in CXF

  24. What's not supported? • XPath evaluation • “Strict” Layout validation • Policy combinations that require two separate Encryption actions (EncryptBeforeSigning + EncryptSignature) • Policy combinations that require two separate Signature actions (e.g. Endorsing tokens with (a)symmetric bindings – with some exceptions).

  25. WSS4J 2.0.0 • Lots of new features apart from StAX implementation • New consolidated WS-SecurityPolicy model • Support for securing message attachments • Support for caching based on EhCache • Support for encrypting passwords in Crypto properties fjles using Jasypt

  26. Securing attachments in CXF Securing attachments in CXF 3.0.0 3.0.0

  27. Securing attachments • Signing/encrypting message attachments not supported prior to CXF 3.0.0. • WSS4J 2.0.0 supports the WS-Security SOAP Messages with Attachments Profjle. • If a “<sp:Attachments />” policy is used as a (Signed|Encrypted)Parts in CXF 3.0.0, all attachments are automatically secured. • There are also policies to only sign the content or to include the attachment headers.

  28. Example

  29. Using MTOM • If MTOM is enabled with WS-Security, attachments are inlined before the SOAP Body is secured. • Signing/encrypting using MTOM is targeted for CXF 3.0.1. • However, the cost associated with BASE-64 encoding the attachment + inlining it for signature digest calculation may make the SwA approach more effjcient. • CXF 3.0.0 has a minor effjciency gain not to inline the attachments with MTOM for most T ransportBinding use-cases.

  30. RS-Security in CXF 3.0.0 RS-Security in CXF 3.0.0

  31. RS-Security • CXF supports XML Signature + Encryption for JAX-RS clients and endpoints as well. • XML Signature options: Enveloped, Enveloping, Detached. • Separate interceptors for Signature + Encryption, that can be chained. • Using XML Signature with PKI allows an alternative to the standard HTTP/BA over TLS or TLS with client auth.

  32. Sample signed request

  33. Streaming RS-Security • It's possible to use the new StAX functionality for JAX-RS as well in CXF 3.0.0. • New interceptors: XmlSec(Out|In)Interceptor • XML Signature (enveloped only) + Encryption supported. • T estcase: https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-jaxrs-xmlsec

  34. Some empirical data... Some empirical data...

  35. Benchmarks I

  36. Benchmarks II

  37. Benchmarks III

  38. Benchmarks IV

  39. Using Single Sign-On (SSO) Using Single Sign-On (SSO)

  40. Single Sign-On (SSO) • Thus far we have focused on securing messages • However, client authentication can also be expensive... • This is where Single Sign-On (SSO) comes in • The client “signs-on” to a centralized authentication service of some kind, and retains a resulting token for any subsequent authentication (until the user signs out).

  41. SSO using WS-SecConv • A really simple way supported in CXF for SSO is to use WS-SecureConversation. • A rudimentary STS is embedded with a CXF endpoint • The client authenticates and receives a token + negotiated secret. • The client signs the request using the secret + references the token in any subsequent request. • T estcase (SSOT est): https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-shiro

  42. SSO using an STS • CXF ships with an advanced SecurityT okenService (STS) • The client authenticates to the STS + receives a SAML T oken. • The client caches the token + re-uses it until expiry. • Roles/claims are embedded in the token for authorization • T estcase (SSOT est): https://github.com/coheigea/testcases/tree/master/apac he/cxf/cxf-sts

Recommend

Improving Performance We want to improve the performance of our computation Unit 17

Improving Performance We want to improve the performance of our computation Unit 17

17.1 17.2 Improving Performance We want to improve the performance of our computation Unit 17 Question: What are we referring to when we say &quot;performance&quot;? __________________ Improving Performance __________________

337 views • 5 slides
The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and Containerization Platforms Davood GhatrehSamani, Chavit Denninart Joseph Bacik Mohsen Amini Salehi High Performance Cloud Computing Lab (HPCC)

408 views • 30 slides
Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble

Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble

Improving the performance of data servers on multicore architectures Fabien Gaud Grenoble University Advisors: Jean-Bernard Stefani, Renaud Lachaize and Vivien Qu ema Sardes (INRIA/LIG) December 2, 2010 Improving the performance of data

693 views • 67 slides
Progress with improving electricity Progress with improving electricity industry performance 1

Progress with improving electricity Progress with improving electricity industry performance 1

Progress with improving electricity Progress with improving electricity industry performance 1 April 2014 There are many sub-markets in electricity 27 x Retail 3 x Hedge Transport 1 x Spot 9 x AS Retail On-going rises in residential

1.17k views • 47 slides
IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS

IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS

IMPROVING INDUSTRIAL PERFORMANCE WE ARE PART OF VINCI CONCESSIONS CONTRACTING ROADS CONSTRUCTION ENERGY WITH AND 100 38.5Billion 185,500 COUNTRIES REVENUE IN 2015 EMPLOYEES 2 | Improving industrial performance VINCI ENERGIES: A

347 views • 15 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT

IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT

IMPROVING $PORT PERFORMANCE ON $ARCH PLATFORM-BASED PERFORMANCE TUNING OF WEBKIT (PORT=QT ARCH=MIPS74KF) Adrin Prez de Castro Embedded Linux Conference April 29 May 1, 2014 WHOAMI aperez@igalia.com +AdrianPerezDeCastro @aperezdc

399 views • 22 slides
Improving Performance and Cost in a Hyperconnected World

Improving Performance and Cost in a Hyperconnected World

Improving Performance and Cost in a Hyperconnected World Georgios Smaragdakis Th The New Internet Google, Akamai, NeJlix Amazon, Global Transit / &quot;Hyper

415 views • 24 slides
Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and

Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and

Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and Prefetch Buffers Norm Jouppi In Context At the time, CPU performance was really beginning to pull away from DRAM performance Increased

329 views • 22 slides
Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence

Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence

Improving Performance on Intent Detection Maria Crosas Conversational Artificial Intelligence at Nestle Todays Agenda Chatbots @ Nestle. Overview, learnings and use cases Improving our chatbots performance Chatbots core :

583 views • 21 slides
Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva

Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva

Scalable TCP: Improving Performance in HighSpeed Wide Area Networks PFLDnet 2003 CERN, Geneva Tom Kelly ctk21@cam.ac.uk CERN and Laboratory for Communication Engineering University of Cambridge Scalable TCP: Improving Performance in

769 views • 14 slides
Performance Eric McCreath Increasing Word Size A simple way of improving performance is to

Performance Eric McCreath Increasing Word Size A simple way of improving performance is to

Performance Eric McCreath Increasing Word Size A simple way of improving performance is to increase the data word size. This means that each instruction operates on a larger amount of data. This will involve more gates within the CPU. Also it

429 views • 9 slides
Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast

Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast

Iteratively Improving Spark Application Performance William C. Benton Red Hat, Inc. Forecast Background: Spark, RDDs, and Sparks execution model Case study overview Improving our prototype Background Apache Spark Introduced

1.5k views • 128 slides
Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons

Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons

Coordina(ng the Use of GPU and CPU for Improving Performance of Compute Intensive Applica(ons George Teodoro 1 , Rafael Sache&gt;o 1 , Olcay Sertel 2 , Me(n Gurcan 2 , Wagner Meira Jr. 1 , Umit Catalyurek 2 , Renato Ferreira 1 1. Federal

601 views • 23 slides
Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance

Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance

Is A 50,000 litre Lifetime Performance Herd Average A Reality? Aidan Cushnahan Benefits of Improving Lifetime Performance Reductions in replacement rate Reductions in environmental pressures Improvements in public perception of the

550 views • 24 slides
Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia

Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia

Improving the performance of the qcow2 format KVM Forum 2017 Alberto Garcia &lt;berto@igalia.com&gt; Improving the performance of the qcow2 format Introduction to the qcow2 format Improving the performance of the qcow2 format KVM Forum 2017

640 views • 39 slides
Improving the Performance of IPOP Research Project 2 Supervisors:

Improving the Performance of IPOP Research Project 2 Supervisors:

University of Amsterdam System and Network Engineering Improving the Performance of IPOP Research Project 2 Supervisors: Ana Oprescu Dragos Lauren,u Barosan

288 views • 15 slides
Improving the Performance of the FDR Procedure Using an Estimator for the Number of True Null

Improving the Performance of the FDR Procedure Using an Estimator for the Number of True Null

Improving the Performance of the FDR Procedure Using an Estimator for the Number of True Null Hypotheses Amit Zeisel, Or Zuk, Eytan Domany W.I.S. June 15, 2009 Amit Zeisel, Or Zuk, Eytan Domany (W.I.S.)Improving the Performance of the FDR

506 views • 17 slides
Improving tracking performance by learning from past data Angela P. Schoellig Doctoral examina

Improving tracking performance by learning from past data Angela P. Schoellig Doctoral examina

Improving tracking performance by learning from past data Angela P. Schoellig Doctoral examina on July 30, 2012 Advisor: Prof. Raffaello DAndrea // Co advisor: Prof. Andrew Alleyne 1 Improving tracking performance by learning from

713 views • 45 slides
Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic Jansma njansma@akamai.com @nicj Why are we here today? Boomerang: an open-source Real User Monitoring (RUM) third-party library

647 views • 41 slides
Session Slides: Improving Web Performance with Dynamic Compression by Slava Bizyayev

Session Slides: Improving Web Performance with Dynamic Compression by Slava Bizyayev

Session Slides: Improving Web Performance with Dynamic Compression by Slava Bizyayev &lt;slava@apache.org&gt; ApacheCon US 2005 Wednesday, December 14 2005 San Diego, CA Session Slides: Improving Web Performance with Dynamic Compression Slide

874 views • 49 slides
Making better decisions and improving Making better decisions and improving performance

Making better decisions and improving Making better decisions and improving performance

IAgrE Conference 6 November 2018 IAgrE Conference 6 November 2018 Making better decisions and improving Making better decisions and improving performance performance Susannah Bolton Susannah Bolton Challenge and changes Farmer

511 views • 24 slides
Improving the Performance of Consistency Algorithms by Localizing and Bolstering Propagation in a

Improving the Performance of Consistency Algorithms by Localizing and Bolstering Propagation in a

Improving the Performance of Consistency Algorithms by Localizing and Bolstering Propagation in a Tree Decomposition Shant Karakashian, Robert Woodward &amp; Berthe Y. Choueiry Constraint Systems Laboratory University of Nebraska-Lincoln

261 views • 14 slides
. Improving the Performance of Introduction (1) Interactive TCP Applications using Service

. Improving the Performance of Introduction (1) Interactive TCP Applications using Service

. Improving the Performance of Introduction (1) Interactive TCP Applications using Service Differentiation Everyone has experience with bad delays Interactive apps (audioconference, telnet, W. Noureddine and F. Tobagi games) need

318 views • 6 slides

More recommend