Overview of Modern Web Architectures, Standards, Security, and Future Directions

Overview of Modern Web Architectures,
Standards, Security, and Future Directions
Dr. Mohammad Iqbal
(Thanks to Zhenhua Guo, 2009)
1
Outline



Web App Case Study
Modern Web Characteristics
Modern Web Architecture : OpenSocial



Architecture
Components
Security




Background
Authorization
Out of Scope: Authentication
Future Directions
2
Modern Web App
Case Study : Facebook
Your current status

Friends
photos
Facebook


More than 200 million active users
Activities of
MS paid $240 million foryour
1.6friends
percent
Video
Comment, Rate
Aggregation
with Picasa
groups
Chat
More apps!
3
Previous Web App
Case Study : Yahoo! Directory
Provider-defined directory
4
Examples of two “versions” of web apps
1995-2005 Web
2005-Present Web
Britannica Online
Wikipedia
Akamai
BitTorrent
Directories
(Taxonomy)
Tagging
(Folksonomy)
Tightly coupled apps
App Mashup/Integration
Home page
Blog
5
Web 2.0


“Second generation of web development and web
design”
Web 2.0 vs. Web 1.0

Technical point of view



Similar technologies as Web 1.0: HTML, Javascript, XML, HTTP, etc.
Web2.0 makes the web programmable
User’s point of view

Read-write collaborative web


Participatory nature


Blogging, commenting, rating
Cooperate, not control


Sharing, creation of data
Facebook interoperates with Google Picasa, Yahoo! Flickr,
Blogs, etc
User centric

Web is a platform. Users add content (“value”)
6
Web 2.0
Enterprise Approach
Web 2.0 Approach
Portlets
Gadgets, Widgets
SOAP
RSS, Atom, JSON
WSDL
REST(GET, PUT, POST ,DELETE)
Workflow managers
Mash-ups (e.g. Yahoo Pipes)
Server side integration Client-side integration (AJAX)
Gateways

Debate (Buzzword vs. Real progress) is going on, but it
has begun to coalesce.



User-centric social network portals
“Web 2.0 Architectures: What entrepreneurs and information architects
need to know”
OpenSocial: case study that illustrates or motivates several Web 2.0
topics of discussion.
We will use Open Social to illustrate Web 2.0 architecture
7
OpenSocial

A coherent open architecture designed for
social network services and applications.

Common APIs across many websites




REST/RPC protocols – for server-to-server interactions
Javascript APIs – for browser-to-server interactions
Authorization mechanism, Data model …
Usage

Supported by MySpace, Google Orkut, Twitter,
LinkedIn, XiaoNei…


Internationalization
Rival: Facebook
8
Open Social Javascript API Example
Data
Model
Fetch profile
information
of owner
JavaScript
API
example
AJAX!!!
Person: ID, NAME, NICKNAME, ADDRESSES, EMAILS,
STATUS, MOVIES, MUSIC,FOOD …
Activity: TITLE, URL, BODY, PRIORITY …
// Creates a data request object to use for
// sending and fetching data from the server.
var req = opensocial.newDataRequest();
// Adds an item to fetch data from the server
req.add(req.newFetchPersonRequest('OWNER'), “owner”);
// Sends a data request to the server
req.send(function(data) {
owner = dataResponse.get("owner").getData();
});
9
Open Social Message Examples
Request (HTTP POST)
157 Bytes
[{"method" :"people.get",
"params" :{
"userId" : ["@owner"],
How about the corresponding
"groupId" : "@self",
representation in XML???
"id"
: "owner",
"fields" :
["id","name", "thumbnailUrl", "profileUrl", "id", "displayName"]}}]
JSON
[{"id"
:"owner",
"data" :{
"displayName" :
"profileUrl" :
"id"
:
"thumbnailUrl":
"name"
:
...... }}]
Response
"Guo Zhenhua"
"/Main#Profile.aspx?uid=3672642670645936703,
"06881043280087178653",
"http://www.orkut.com/img/i_nophoto64.gif",
{ "familyName":"Zhenhua", "givenName":"Guo" },
10
Request message
represented in XML
<request>
<method>people.get</method>
<params>
<userId>
<id>@owner</id>
</userID>
<groupId>@self</groupId>
<id>owner</id>
<fields>
<field>id</field>
<field>name</field>
<field>thumbnailUrl</field>
<field>profileUrl</field>
<field>id</field>
<field>displayName</field>
</fields>
<params>
281 Bytes
</request>
JSON






Lightweight, Simple
Can represent basic data structures
(number, string, boolean, object, array)
Textual human-readable
Easy to generate and manipulate
Not extensible, No namespace
Hard to represent complex data structures
 References
 User-defined type
XML





Extensible
Support namespace
Support representation of complex
data structures.
Heavyweight
Slow and verbose
OpenSocial - Architecture
Components





Interface –
REST, Javascript APIs
Client – Ajax, Gadget
Message Format –
JSON, XML
Security - OAuth
Data Model
Logic level
12
OpenSocial Interface – REST
REST – REpresentational State Transfer
 Based on HTTP (client/server + stateless server)
 Resource-oriented (resource can be anything)
 Each resource is identified by a unique URL
 State transition (Link resources together)
 Resources have multiple representations (JSON,XML)
 Uniform interfaces
GET
How to access top ten Twitter topics?
Read
resource
verb
POST
Create
PUT
Update
GET http://search.twitter.com/trends.json
DELETE
Delete
Returns the top ten topics
that are currently trending on Twitter.
* CRUD – Create, Read, Update, Delete
13
Analysis of REST

Treat the web as a big database of resources


Constraint



Good for CRUD operations
Stateless
HTTP (request-response)
Beyond REST

Stateful applications



Streaming Applications
Workflow Execution
Push-Based systems

Pub-Sub systems
14
REST Alternative

SOAP-based WS

SOAP
Message format

UDDI
1
2
3
Service Registration

WSDL
Service description interface
4
Publish – Bind – Find


About 60 core ws-* protocols
Designed for server-server interactions


SOAP and WSDL are really complicated
Browser-based apps are second-class
citizens.
15
AJAX
OpenSocial Client Tech – AJAX

Rationale
Update sections without refreshing the whole page
 More interactive
 More responsive
 Requires less bandwidth

Asynchronous JavaScript and XML





HTML + CSS  Presentation
DOM  Document model (for dynamic manipulation)
XMLHttpRequest  Asynchronous Communication
JSON/XML  Data exchange format
Javascript  Bring these together
17
Data
Model
OpenSocial - Data Model

Define data models for basic objects in social
network




Relationships between objects can not be
represented.



Person
Activity
AppData
Friend of a Friend (FOAF) – Based on W3C RDF
XHTML Friends Network (XFN)
Other possible issues




Groups, roles, communities
Strength of relationships
Relationships in which more than two objects are involved
Scalability (in terms of number of friends)
19
Security in OpenSocial
20
Beyond Functionalities - Security

Identity



“On the internet, nobody knows you're a dog”
Claimed Identity ≠ Real Identity
Data protection


Who can access your Facebook data?
Increasing risk of identity theft and impersonation.




Cartoon by Peter Steiner.
The New Yorker, July 5, 1993 issue
(Vol.69 (LXIX) no. 20) page 61
Favorite color, mother’s maiden name, …
“Friends” and applications have access to this
“Predicting Social Security numbers from public data”
Communication links
Messages are passed by intermediary machines
 Intermediaries understand your messages?
 Intermediaries alter your messages?
 Intermediaries forge your messages?
21
Security Requirements (in Web)

Connection level





SSL/TLS
System Implementation level




Confidentiality
Integrity
Non-repudiation
Prevention of replay attack
Redirect
Session stealing (cookie)
Cross-site scripting, Cross-site request forgery
Securer programs +
User education
Architecture level

Authentication


Single Sign-On
Authorization

Delegation
22
Challenges

Technical Challenges





Loosely coupled components
No single, isolated trusted base
Domain-specific policies
Separation of security policies and security mechanisms.
Possible solutions

Authentication




Central Authentication Service
Cosign
OpenID
Authorization


Shibboleth
OAuth
23
OpenSocial Authorization – OAuth

Motivation


Solution





Delegated authorization protocol
Light-weight
Explicit user consent
Based on REST
3rd-party App
Twitter
Drawbacks




To allow third party apps to access users’ data stored at service
provider without requiring username and password.
Vulnerable to session fixation attack (http://oauth.net/advisories/2009-1)
Delegation granularity (Service provider-specific)
Access token expiration and revocation
Resources

http://oauth.net/
24
Authentication


OpenSocial does not define authentication mechanism.
Different accounts for different service providers



Twitter, Facebook, Myspace, Orkut, Hi5 …
Same data everywhere
Account linking
Linking Disparate Account IDs Across Multiple Systems or Applications
Identity
Federation
Web
Server
Identification
Provider
Web
Server
Web
Server
=>
Identity portability
N
W
Web
Server
E
S
Trust
Relationship
Web
Server
Identification
Provider
Web
Server
25
Authentication – OpenID

Motivation


Provide lightweight authentication service across domains
Solution
Users are asked to prove ownership of their OpenID identifiers.
 OpenID identifiers are URLs (e.g. http://zhenhua-guo.blogspot.com).
 Service provider and identity provider are clearly separated.
 Authentication delegation (service provider → identity provider)

Advantages





Drawbacks


Cross-domain authentication
Attribute exchange beyond authentication
Single Sign-On
Easy OpenID provider switch
Phishing attack
Resources

http://fcom.us.es/blogs/nuevafcom/files/2008/09/openid-1.jpg
Supported by Facebook, Verisign, Sourceforge, Yahoo, etc.
26
OAuth and OpenID




Based on relaxed REST
Use SSL/TLS to guarantee confidentiality,
integrity and non-repudiation.
Scalability
Vulnerable to



Phishing
Cross-site scripting
Cross-site request forgery
27
Conclusions



Adoption of web 2.0
Services, not packaged software
Open Architecture and Open Standards





Interoperability
Flexibility
Integration
Security
Adoption in scientific communities

Traditional gateways


LEAD, Earth System Grid
Gateways that integrate web 2.0 technologies



myExperiment, SciVee, Sakai
Open Life Science Gateway
PolarGrid Portal
Research Opportunities

Social network in scientific communities


Data Integration




Manual integration
Unified specification
Adaptive integration
Security model


Collaboration and Cooperation
Open, Flexible, Scalable, …
Data Mining

Tag, Comment, Email, Blog, …
29
Future Directions

Semantic Web (Web 3.0?)


Machine-readable representations of resources and
relationships
Artificial Intelligence, Data Mining

Search Engine


Recommendation System


Scaling
Question Answering


Information search
Information retrieval
Social Network Analysis


Flow pattern recognition
Strength of connections
30
My Research

Gadget Layout Management

OAuth implementation



Implement 2-legged OAuth
Integrate 3-legged OAuth
PolarGrid Portal
Zhenhua Guo, Raminderjeet Singh, Marlon Pierce
Building the PolarGrid Portal Using Web 2.0 and
OpenSocial. GCE09 Grid Computing Environments
33
2009 workshop at SC09
Reference
Papers

Distributed Systems

Hongbin Liu, Shrideep Pallickara, Geoffrey Fox. Performance of Web Services Security.
Proceedings of the 13th Mardi Gras Conference, 2005

Satoshi Shirasuna, Aleksander Slominski, Liang Fang, Dennis Gannon. Performance
comparison of security mechanisms for grid services. Proceedings of the Fifth IEEE/ACM
International Workshop on Grid Computing, 2004

Shrideep Pallickara, Marlon E. Pierce, Harshawardhan Gadgil, Geoffrey Fox,
Yan Yan, Yi Huang. A Framework for Secure End-to-End Delivery of Messages in
Publish/Subscribe Systems. The 7th IEEE/ACM International Conference on Grid
Computing, 2006

Cesare Pautasso, Olaf Zimmermann, and Frank Leymann. Restful web services vs. "big"'
web services: making the right architectural decision. Proceeding of the 17th international
Conference on World Wide Web, 2008

Michael zur Muehlen, Jeffrey V. Nickerson and Keith D. Swenson . Developing web
services choreography standards—the case of REST vs. SOAP.
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8S-4CF5FWK1&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId
=1058155249&_rerunOrigin=scholar.google&_acct=C000050221&_version=1&_urlVersion
=0&_userid=10&md5=e9c0b58f44e71de372ea92e94b34f385
Reference (cont.)

Authentication

Clifford Neuman, Theodore Ts'o. Kerberos: An Authentication Service for Computer
Networks. IEEE Communications, 1994

John Kohl, B. Clifford Neuman, Theodore T'so. The Evolution of the Kerberos
Authentication System. In Distributed Open Systems, pages 78-94. IEEE Computer
Society Press, 1994

David Recordon , Drummond Reed. OpenID 2.0: a platform for user-centric identity
management. Proceedings of the second ACM workshop on Digital identity management,
2006

Drummond Reed, Les Chasen, William Tan. OpenID identity discovery with XRI and
XRDS. IDtrust, ACM International Conference Proceeding Series, Vol. 283, pp. 19-25,
ACM, 2008
35
Reference (cont.)

Authorization

David Chadwick, Alexander Otenko. The PERMIS X.509 role based privilege management
infrastructure. Future Generation Computer Systems, 19(2), pp. 277-289, 2003

David Chadwick, Gansen Zhao, Sassa Otenko, Romain Laborde, Linying Su,
Tuan-Anh Nguyen. PERMIS: a modular authorization infrastructure. Concurrency and
Computation: Practice and Experience, 20(11), pp. 1341-1357, 2008

Von Welch, Frank Siebenlist, Ian Foster, John Bresnahan, Karl Czajkowski, Jarek Gawor,
Carl Kesselman, Sam Meder, Laura Pearlman, Steven Tuecke. Security for Grid Services.
Twelfth International Symposium on High Performance Distributed Computing, IEEE
Press, 2003

Ian Foster, Carl Kesselman, Gene Tsudik, Steven Tuecke. A Security Architecture for
Computational Grids. ACM Conference on Computers and Security, pp. 83-91, ACM
Press, 1998

Mary Thompson, William Johnston, Srilekha Mudumbai, Gary Hoo, Keith Jackson,
Abdelilah Essiari. Certificate-based Access Control for Widely Distributed Resources.
Proceedings of the 8th USENIX Security Symposium (SECURITY-99), pp. 215-228,
Usenix Association, 1999

Anirban Chakrabarti, Anish Damodaran, Subhasis Sengupta. Grid Computing Security: A
Taxonomy. IEEE Security & Privacy, 6(1), pp. 44-51, 2008

Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch,
Rachana Ananthakrishnan, Bill Baker, Monte Goode, Kate Keahey.Identity federation and
attribute-based authorization through the globus toolkit, Shibboleth, GridShib, and
MyProxy. 5th Annual PKI R&D Workshop, 2006
Reference (cont.)







Ralf Groeper, Christian Grimm, Stefan Piger, Jan Wiebelitz. An Architecture for
Authorization in Grids using Shibboleth and VOMS. Euromicro Conference-Software
Engineering and Advanced Applications, pp. 367-374, IEEE Computer Society, 2007
Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist. Attributes, anonymity, and
access-shibboleth and globus integration to facilitate grid collaboration. 4th Annual PKI
R&D Workshop, 2005
Laura Pearlman, Von Welch, Ian T. Foster, Carl Kesselman, Steven Tuecke. A Community
Authorization Service for Group Collaboration. POLICY, pp. 50-59, IEEE Computer
Society, 2002
Roberto Alfieri, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, Ákos Frohner,
Alberto Gianoli, Károly Lörentey, Fabio Spataro. VOMS, an Authorization System for
Virtual Organizations. European Across Grids Conference, Lecture Notes in Computer
Science, Vol. 2970, pp. 33-40
Springer, 2003
Laura Pearlman, Von Welch, Ian T. Foster, Carl Kesselman, Steven Tuecke. A community
authorization service for group collaboration. Proceedings of the 3rd IEEE International
Workshop on Policies, 2002
Laura Pearlman, Von Welch, Ian Foster, Carl Kesselman, Steven Tuecke. The community
authorization service: Status and future. Proceedings of Computing in High Energy
Physics, 2003
Reference (cont.)






Justin Binns, Jonathan DiCarlo, Joseph Insley, Ti Leggett, Cory Lueninghoener, John-Paul
Navarro, Michael Papka. Enabling community access to TeraGrid visualization resources.
Concurrency and Computation: Practice and Experience, 19(6), pp. 783-794, 2007
Jim Basney, Marty Humphrey, Von Welch. The MyProxy online credential repository.
Software: Practice and Experience, 2005
Jason Novotny, Steven Tuecke, Von Welch. An online credential repository for the grid:
MyProxy. High Performance Distributed Computing, 2001. Proceedings. 10th IEEE
International Symposium
Andreas Pashalidis, Chris Mitchell. A Taxonomy of Single Sign-On Systems. Information
Security and Privacy: Australasian Conference, 2003
Thomas Groß. Security Analysis of the SAML Single Sign-on Browser/Artifact Profile.
Annual Computer Security Applications Conference, pp. 298-307, IEEE Computer Society,
2003
Minor (Artificial Intelligence) Related

Patrick Kelley, Paul Drielsma, Norman Sadeh, Lorrie Faith Cranor. User-controllable
learning of security and privacy policies. Proceedings of the 1st ACM workshop on
Workshop on AISec, pp. 11-18, ACM, 2008

Guang Xiang, Ge Yu, Xiangli Qu, Xiaomei Dong, Lina Wang. A Hybrid Machine
Learning/Statistical Model of Grid Security. Grid and Cooperative Computing, Lecture
Notes in Computer Science, Vol. 3251, pp. 348-355, Springer, 2004
Reference (cont.)

Specifications

Shibboleth Architecture - Protocols and Profiles

Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)

Security Assertion Markup Language(SAML) V2.0 Technical Overview

Security and Privacy Considerations for the OASIS Security Assertion Markup
Language(SAML) V2.0

XML Encryption Syntax and Processing

An Internet Attribute Certificate Profile for Authorization (RFC 3281)

Technical Comparison: OpenID and SAML - Draft 06

OpenID (http://openid.net/developers/specs/)

OAuth 1.0(http://oauth.net/core/1.0/)

Central Authentication Service (http://www.jasig.org/cas/protocol)
Questions?