S90.20 無料問題集「SOA Security Lab」

（A）When Service A detects that a service consumer with public access permissions has submitted an ID value that already exists within a private database record, it stores the service consumer's ID value in a temporary database and returns a response message indicating that the update was successful. A notification message is then sent to a human database administrator who manually contacts the owner of the service consumer in order to explain that the ID value submitted cannot be accepted because it already exists within a private database record.

（B）The database rules are changed so that the ID value of database records no longer needs to be unique. As a further precaution, the Service A logic is changed to disallow the update of private database records by service consumers with only public access permissions.

（C）The Exception Shielding pattern is applied to replace the error description text before a response message is returned to the service consumer. Furthermore, the ID value of all database records is appended with a code indicating whether the database record is private or public

（D）Each record in Database A is classified as either private or public. After Service A is invoked by a service consumer (1), it authenticates the request message using an identity store and retrieves the corresponding authorization (2, 3). Once authorized, the service consumer's request is submitted to Database A (4), which then returns the requested data (5) If the service consumer has private access permissions, all of the returned data is included in Service A's response message (6). If the service consumer has public access permissions, then Service A first filters the data in order to remove all unauthorized private data records before sending to the response message to the service consumer (6).

In addition to retrieving data, Service A's data access capability can be used to update database records. An investigation recently revealed an information leakage problem that can occur when service consumers with public access permissions attempt to update the ID value of a database record The ID values of all database records (private or public) must be unique. When a service consumer with public access permissions updates a public database record with an ID value that is already assigned to a private database record, the database returns an error message describing this conflict. This error text reveals confidential information by stating that the ID value submitted by the service consumer with public access permissions already exists within a private database record.
What steps can be taken to avoid this problem while preserving the requirement that all database records (private and public) have unique ID values?

（E）The service consumer's request message containing the ID value can be encrypted by inserting the private key of the service consumer into the data. Because all service consumers have different private keys, this approach will lead to different encrypted values, even if the plain text ID values are the same. As a result, two data items with the same encrypted unique identifier cannot exist.

（A）Apply the Standardized Service Contract principle in order to remove redundancy within service contracts by ensuring that all four service contracts comply with the same policy standards. This further requires the application of the Service Abstraction principle to guarantee that policy definitions are sufficiently streamlined for performance reasons.

（B）Apply the Policy Centralization pattern in order to establish a single security policy for the entire service composition. The redundant policies residing in the service contracts of Services A.
B, C and D need to be removed and grouped together into one master policy definition enforced by Service A.
This way, redundant policy validation is eliminated, thereby improving runtime performance.

（C）All policies are analyzed for similarities, which are then extracted and, by applying the Policy Centralization pattern, combined into a single policy definition. This "meta-policy" is then positioned to perform validation of the response message generated by Service A, prior to receipt by Service Consumer A.
If validation fails, an alternative error message is sent to Service Consumer A instead.

（D）Apply the Policy Centralization pattern in order to establish two centralized policy definitions and ensure that policy enforcement logic is correspondingly centralized. The first policy definition includes the redundant security policies from Services A and D and the second policy definition contains the redundant security policies from Services B and C.

（A）Apply the Data Origin Authentication and the Data Confidentiality patterns to ensure that request and response messages exchanged between Service A and Services B.
C, and D are digitally signed and encrypted. This guarantees message integrity and confidentiality.

（B）Apply the Brokered Authentication pattern to send the security credentials of Service Consumer A to Services B, C, and D.
Service A can carry out the brokered authentication logic and therefore act as the intermediary security broker. Upon receiving Service Consumer A's request message, Service A can further verify the credentials against an external certificate authority, if the request is authenticated. Service A can create a signed SAML assertion containing Service Consumer A's credentials and the authorization information. Service A then forwards the original request message and the signed SAML assertion to Services B, C, and D.

（C）Apply the Data Origin Authentication pattern to verily that request and response messages exchanged by Service Consumer A and Service A and exchanged by Service A and Services B, C, and D originated from the claimed sources and have not been altered prior to transmission. Also, enhance the Service A architecture so that all messages sent to its service consumers are logged.

（D）The service contract of Service A can be extended with an ignorable WS-Policy assertion that states that all request and response messages are logged by Service A and that false complaints will be prosecuted.