You are previewing Securing Web Services: Practical Usage of Standards and Specifications.
O'Reilly logo
Securing Web Services: Practical Usage of Standards and Specifications

Book Description

"Web services are a business-driven technology, as they have arisen from a need for on-demand services and just-in-time integration to enable the rapid exploitation of market opportunities. Security challenges have accelerated alongside the rapid advances in this domain.

The security requirement standards address a number of security and dependability issues. Securing Web Services: Practical Usage of Standards and Specifications collects a complete set of studies that address the security and dependability challenges of Web services and the development of protocols to meet those challenges. Encompassing a complete range of topics including specifications for message level security, transactions, and identity management, this Premier Reference Source enables libraries to provide researchers with an authoritative guide to one of the most challenging technological topics of our time."

Table of Contents

  1. Copyright
  2. Foreword
  3. Preface
  4. Acknowledgment
  5. About the Editor
  6. About the Author of the Foreword
  7. I. Security in Service–Oriented Architecture: Issues, Standards, and Implementations
    1. ABSTRACT
    2. INTRODUCTION
    3. BACKGROUND
      1. Security Solution Mechanisms in Online Systems
      2. Service-Oriented Architecture
    4. SECURITY REQUIREMENTS IN SOA IMPLEMENTATIONS
      1. Online Security Requirements As Mapped to SOA
      2. Additional Security Requirements for SOA
    5. SECURITY STANDARDS AND SOLUTIONS FOR SOA
      1. Web Services Security Standards
      2. Current Web Services Security Implementations
      3. Security Solutions in Other SOA Implementations
    6. FUTURE TRENDS
      1. Standards Convergence and Maturity
      2. Standards Compliance for Security Products
      3. Federated Identity
      4. XML-Based PKI
      5. New Generation Security Products
      6. Component Security Models
    7. CONCLUSION
    8. REFERENCES
    9. SOURCE CODE LISTINGS
  8. II. A Retrospective on the Development of Web Service Specifications
    1. ABSTRACT
    2. INTRODUCTION
    3. SOME OBSERVATION ABOUT WS-* SPECIFICATIONS
    4. WS-ADDRESSING
    5. PROCESSING THE XML SCHEMAS
      1. WSRM, WSR, and WSE
      2. The Base Framework for Implementing the Specifications
      3. The WSRM & WSR Specifications
      4. WSRM Implementation
      5. WS-Eventing
      6. WSE Implementation
    6. MANAGEMENT WITHIN DISTRIBUTED SYSTEMS
    7. IMPLEMENTATION OF WS-MANAGEMENT
    8. LEVERAGED SPECIFICATIONS
      1. Implementation
      2. Processing Messages
      3. WS-Transfer
      4. WS Enumeration
    9. LOOKING AHEAD
    10. EXTENDING THE WS-CONTEXT SPECIFICATION
    11. EXTENDING THE UDDI SPECIFICATION
    12. WEB SERVICES AND MOBILE DEVICES
    13. DEPLOYMENT RELATED ISSUES WITHIN AXIS
      1. Message Initiation
      2. Other Request-Response-Based Problems
      3. Ability to Terminate Processing Related to Message within a Handler Chain
      4. Handlers Cannot Inject Messages
      5. Static Handler Chains
      6. Solutions to Some of the Problems
    14. USE CASES FOR VARIOUS SPECIFICATIONS
      1. WSE, WSRM, and WSR
      2. WSE, WS-Management, WS-Transfer
      3. Extended UDDI and Hybrid WS-Context
      4. The Workflow Session Metadata Manager
      5. The Metadata Catalog Service
      6. The Context-Store for High Performance SOAP
    15. CONCLUSION
    16. REFERENCES
    17. ENDNOTE
  9. III. Secure Web Service Composition: Issues and Architectures
    1. ABSTRACT
    2. INTRODUCTION
    3. SECURITY REQUIREMENTS OF WEB SERVICE COMPOSITION
    4. LITERATURE REVIEW
    5. STANDARDS FOR WEB SERVICE COMPOSITION
      1. Syntactic-Based Standards
      2. Semantic-Based Standards
    6. SECURE WS-BROKER: AN APPROACH TO SECURE CONSCIOUS COMPOSITION
      1. Security Information
      2. Security Matchmaker
      3. An Illustrative Example
    7. CONCLUSION AND RESEARCH ISSUES
    8. REFERENCES
  10. IV. High–Value B2B Interactions, Nonrepudiation, and Web Services
    1. ABSTRACT
    2. INTRODUCTION
    3. BACKGROUND
      1. Nonrepudiation and Fairness
      2. The FIDES Research Project Fair Exchange Service
      3. Typical Commercial Approach
      4. Summary
    4. PROTOCOLS FOR NONREPUDIABLE AND VALIDATED BUSINESS MESSAGE DELIVERY
      1. An Example Application Scenario
      2. Protocol Assumptions and Notation
      3. Voluntary Nonrepudiable Exchange
      4. Fair Nonrepudiable Exchange
        1. Fair Exchange with Inline TTP
        2. Timely Termination of Exchange
        3. Modifications for Lightweight Endpoints
        4. Extension for Payload Validation
        5. Optimistic Fair Exchange with Off-Line TTP
      5. Summary and Evaluation
    5. WEB SERVICES PROTOCOL EXECUTION FRAMEWORK
      1. Overview of Web Services and Supporting Standards
        1. Limitations of the XML Signature Standard
      2. WS-NRExchange Interaction
        1. Generic NRExchange Interface and Message Schema
        2. Forward and Backward References to Messages
        3. Protocol Message Handling
        4. Validation Listeners
      3. Summary
    6. CONCLUSION
    7. REFERENCES
  11. V. Dynamic Delegation of Authority in Web Services
    1. ABSTRACT
    2. INTRODUCTION
    3. BACKGROUND
    4. REQUIREMENTS FOR WEB SERVICES DELEGATION OF AUTHORITY
    5. THE HIERARCHICAL RBAC/ABAC MODEL
      1. Applying ABAC to Distributed Web Services
    6. A WEB SERVICES-BASED DELEGATION OF AUTHORITY ARCHITECTURE
      1. The Advantages of a DOA Web Service
      2. Revocation of Authority
    7. THE DELEGATION POLICY
    8. IMPLEMENTING A PRACTICAL DOA WEB SERVICE
      1. Delegation Policy Enforcement
      2. Client Access
    9. CONCLUSION AND FUTURE TRENDS
      1. Comparison with Other Work
      2. Future Work
    10. ACKNOWLEDGMENT
    11. REFERENCES
  12. VI. A Policy-Based Authorization Framework for Web Services: Integrating X-GTRBAC and WS-Policy
    1. ABSTRACT
    2. INTRODUCTION
    3. CONTRIBUTIONS AND ORGANIZATION
    4. RELATED WORK
    5. BACKGROUND
      1. X-GTRBAC
      2. WS-Policy
      3. WS-Policy Attachment
    6. WS-POLICY PROFILE OF X-GTRBAC
      1. Problem Space
      2. Integration Issues
        1. Constraint Representation
        2. Assignment Policy
        3. Constraint Interpretation
        4. Permission Nature
        5. Computing Effective Service Access Policies
        6. Algorithm and Termination Proof
    7. ARCHITECTURE/IMPLEMENTATION
      1. Software Architecture
        1. Architecture Components
        2. Policy Repository
        3. Component Interactions
      2. Implementation
    8. CONCLUSION
    9. REFERENCES
    10. APPENDIX A
  13. VII. Description of Policies Enriched by Semantics for Security Management
    1. ABSTRACT
    2. INTRODUCTION
    3. BACKGROUND AND RELATED WORK
      1. Policy-Based Management: A Brief Overview
        1. Introduction
        2. Requirements of a Policy Language and Policy Framework
      2. Introduction to Formal Representation Techniques
        1. The Concept of Ontology
        2. The Role of Formal Logics in Semantic Web Technologies
        3. Languages for Ontology Representation
      3. A Case Study
      4. Non-Semantic Security Policy Languages
        1. Ponder
        2. XACML
    4. DISCUSSION
      1. Semantic Policy Languages and Frameworks for Managing System Security
        1. KAoS
        2. RuleML
        3. SWRL
        4. Rei
      2. Comparative Analysis Between Semantic and Non-Semantic Security Policy Languages
      3. Comparative Analysis of the Semantic Policy Languages Described
    5. CONCLUSION AND FUTURE WORK
    6. ACKNOWLEDGMENT
    7. REFERENCES
  14. VIII. Using SAML and XACML for Web Service Security and Privacy1
    1. ABSTRACT
    2. INTRODUCTION
    3. ACCESS CONTROL AND SINGLE SIGN-ON
    4. EXTENSIBLE ACCESS MARKUP LANGUAGE (XACML)
      1. XACML Processing Environment
      2. XACML Model
      3. XACML Context
    5. XACML PROFILE FOR WEB SERVICES
    6. SAML 2.0 PROFILE OF XACML V2.0
    7. CORE AND HIERARCHICAL ROLE-BASED ACCESS CONTROL (RBAC) PROFILE OF XACML V2.0
    8. WEB SERVICE SECURITY SAML TOKEN PROFILE
      1. Holder-of-Key
      2. Sender Vouches
      3. Bearer
    9. EXAMPLE: IHE RETRIEVE INFORMATION FOR DISPLAY (RID) WEB SERVICE
      1. Scenario
      2. XACML RBAC Policy over RID Web Service
      3. User Authentication with SAML
      4. XACML Request
      5. XACML Response
    10. REFERENCES
    11. ENDNOTE
    12. APPENDIX A: WSDL OF RID WEB SERVICE
  15. IX. Protecting ASP.NET Web Services
    1. ABSTRACT
    2. INTRODUCTION
    3. ARCHITECTURE OVERVIEW
    4. REQUIREMENTS
    5. THE ARCHITECTURE
    6. AUTHENTICATION
    7. AUTHORIZATION
    8. PERMISSION CONSTRUCTION
    9. REPLACEABLE PARTS
    10. CONFIGURATION
    11. EXAMPLES
      1. Example 1: University Course Web Service
        1. Policy 1:
        2. Configuration 1:
      2. Example 2: Human Resource Web Service for an International Organization
        1. Policy 2:
        2. Configuration 2:
    12. SUMMARY OF REFLECTIONS LESSONS LEARNED
      1. General Remarks
      2. Specific to ASP.NET
    13. SUMMARY
    14. REFERENCES
    15. APPENDIX A. OVERVIEW OF RESOURCE ACCESS DECISION ARCHITECTURE
    16. APPENDIX B. OVERVIEW OF ATTRIBUTE FUNCTION ARCHITECTURE
  16. X. Building Innovative, Secure, and Interoperable E-Government Services
    1. ABSTRACT
    2. INTRODUCTION
    3. GENERIC E-GOVERNMENT REQUIREMENTS AND ARCHITECTURE
      1. E-Government Requirements
      2. A Generic Secure E-Government Architecture
    4. THREE INNOVATIVE SECURE AND INTEROPERABLE E-GOVERNMENT SERVICES
      1. Issuance and Distribution of E-Certification Documents
        1. Description and Purpose
        2. Additional/Specific Service Requirements
        3. Main Service Components
        4. Entities and Actors
        5. Functional and Operational Description
      2. Electronic Invoicing
        1. Description and Purpose
        2. Additional/Specific Service Requirements
        3. Main Service Components
        4. Entities and Actors
        5. Functional and Operational Description
      3. A. E-Invoice Issuance Phase
      4. B. E-Invoice Dispatching and Receipt Phase
      5. C. E-Invoice Storage Phase
      6. Electronic Ticketing
        1. Description and Purpose
        2. Additional Requirements
        3. Main Service Components
        4. Entities and Actors
        5. Functional and Operational Description
    5. CONCLUSION
    6. ACKNOWLEDGMENT
    7. REFERENCES
  17. XI. Grid Business Process: Case Study
    1. ABSTRACT
    2. GRID SPECIFICATIONS AND STANDARDS
      1. Web Services Addressing
        1. Endpoint Reference (EPR)
        2. Message Addressing Properties
      2. Web Service Resource Framework (WS-RF)
      3. WS-ResourceProperties (WS-ResourceProperties, 2006)
      4. WS-ResourceLifetime (WS-ResourceLifetime, 2006)
      5. WS-ServiceGroup (WS-ServiceGroup, 2006)
      6. WS-BaseFaults (WS-BaseFaults, 2006)
        1. Use of Base Faults in WSDL 1.1
      7. Web Services-Notification
      8. WS-BaseNotification (WS-BaseNotification, 2006)
      9. WS-Topics (WS-Topics, 2006)
        1. Topics and Topic Namespaces
        2. Topic Expression Dialects
        3. Topic Set
      10. WS-BrokeredNotification (WS-BrokeredNotification, 2006)
      11. Web Service Resource
      12. Implied Resource Pattern
        1. Factory/Instance Pair Pattern
        2. Factory/Instance Collection Pattern
        3. Master-Slave Pattern
        4. Hybrid Approach
      13. Notification Pattern
        1. Client as Notification Consumer
        2. Service as Notification Consumer
        3. Resource as Notification Consumer
    3. TRADING SCENARIO
    4. EXECUTION OF TRADE WORKFLOW
    5. SYSTEM ARCHITECTURE
    6. COMPONENTS OF GRID APPLICATION
    7. INTERACTIONS AMONG COMPONENTS
      1. Instantiation and Interaction with the Seller Entity
      2. Instantiation and Interaction with the Buyer Entity
      3. Market Service for Direct Trading
        1. Market Service for Indirect Trading
    8. IMPLEMENTATION
    9. IMPLIED RESOURCE PATTERN
      1. Factory Service
        1. Resource Home
    10. GRID REGISTRY
    11. WEB SERVICES DEVELOPED
      1. GridManagerService
        1. Implementation of GridManagerService
        2. Resource Home and Resource
      2. BuyerService
        1. Implementation of BuyerResource
        2. Implementation of BuyerResourceHome
        3. Implementation of BuyerService
      3. SellerService
      4. MarketService
        1. Implementation of MarketResource and MarketResourceHome
        2. Implementation of MarketService
          1. The fireXpathQuery() Method
          2. The storeEntries() Method
    12. SERVICES FOR INDIRECT TRADING
      1. CropPriceService
      2. MarketFeeService
      3. VehicleFeeService
    13. CLIENT
      1. Sellers Perspective
      2. Buyers Perspective
      3. Markets Perspective
    14. NOTIFICATION LISTENER CLIENT
    15. EXECUTION SCENARIO
      1. Execution of Seller Grid Service
      2. Execution of Buyer Grid Service
      3. Execution of Market Grid Service
    16. NOTIFICATION TO SELLER SERVICE
    17. NOTIFICATION TO A BUYER SERVICE
    18. MANAGEMENT OF GRID MARKET
    19. SUMMARY
    20. REFERENCES
  18. XII. Combining Web Services and Grid Services: Practical Approaches and Implications to Resource Discovery
    1. ABSTRACT
    2. INTRODUCTION
    3. BACKGROUND: GRID ARCHITECTURE AND SERVICES
      1. What Are Grids?
      2. Why Do We Need Grids?
      3. Grid Features and Capabilities
      4. Grid Services: A Type of Grid Resource
      5. Web Services: Platform Independent Communicators
    4. THE CHALLENGE OF RESOURCE DISCOVERY IN GRIDS
    5. PARTIALLY-GRIDIFIED WEB
    6. COMBINING GRID SERVICES WITH WEB SERVICES: A SERVICE INTEGRATION APPROACH
    7. SOLUTIONS TO GRID RESOURCE DISCVERY: USING THE SERVICE INTEGRATION APPROACH
      1. Grid-Based Web Services (GbW) Approach
      2. Web-Based Grid Services (WbG) Approach
    8. SOAP-RD: AN INTEGRATION EXAMPLE IN RESOURCE DISCOVERY
    9. FUTURE DIRECTIONS: GRID-BASED WEB VS. WEB-BASED GRID
    10. CONCLUSION
    11. REFERENCES
  19. XIII. Approaches and Best Practices in Web Service Style, XML Data Binding, and Validation: Implications to Securing Web Services
    1. ABSTRACT
    2. INTRODUCTION: HOW WSDL STYLE, STRENGTH OF DATA TYPING, BINDING, AND VALIDATION ARE IMPORTANT FOR WEB SERVICE SECURITY
    3. BACKGROUND
    4. WEB SERVICE STYLE / WSDL BINDING
    5. RPC BINDING STYLE
      1. RPC (Applies to Encoded and Literal)
      2. RPC/encoded (Depreciated)
      3. RPC/literal
    6. DOCUMENT BINDING STYLE
      1. Document (Applies to Literal and Wrapped)
      2. Document/literal
      3. Document/literal Wrapped
    7. DATA ABSTRACTION
    8. LOOSE VS. STRONG DATA TYPES: IMPLICATIONS FOR SECURING MESSAGE CONTENT
      1. Loosely Typed Web Services
      2. String Loose Data Type
      3. The CDATA Section Loose Data Type
      4. xsd:any and xsd:any Type Loose Data Types
      5. Base64 encoding Loose Data Type
      6. SOAP Attachment Loose Data Type
      7. WS-I SOAP with Attachment Reference Type
    9. STRONGLY TYPED WEB SERVICES
      1. Strongly Typed WSDL Example
    10. XML DATA BINDING AND VALIDATION: HOW AND WHERE DATA IS BOUND AND VALIDATED IN THE APPLICATION
      1. XML Binding/Validation Performed by the SOAP Engine
        1. Advantages:
        2. Disadvantages:
      2. Examples of XML Binding/Validation Performed by the SOAP Engine
        1. Axis 1.4 (JAX-RPC 1.1 Implementation)
        2. JAX-WS
      3. XML Binding/Validation Separated from the SOAP Engine
        1. Advantages:
        2. Disadvantages:
      4. Examples of XML Binding/Validation Separated from the SOAP Engine
        1. Axis 1.4 (JAX-RPC 1.1 Implementation)
        2. JAX-WS
      5. Binding and Validation of XML Security Specifications
      6. WS-Security Specifications
    11. APPROACHES TO BINDING AND VALIDATING SECURITY SPECIFICATIONS
      1. Manual Binding/Validation
        1. Use Dedicated Binding/Validation Frameworks
        2. Adopt Pre-existing (Partial) Implementations
    12. CODE FIRST OR WSDL FIRST
      1. Code First
        1. Advantages
        2. Disadvantages
      2. WSDL First
        1. Advantages
        2. Disadvantages
    13. CONCLUSION
    14. REFERENCES
  20. XIV. Enhancing Web Service Discovery and Monitoring with Quality of Service Information
    1. ABSTRACT
    2. INTRODUCTION
    3. QoS MODEL
      1. Categorization
        1. Performance
        2. Dependability
    4. QOS MONITORING APPROACHES
      1. Provider-Side Instrumentation
      2. SOAP Intermediaries
      3. Probing
      4. Sniffing
    5. A BOOTSTRAPPING AND MONITORING APPROACH USING ASPECT-ORIENTED PROGRAMMING
    6. SYSTEM ARCHITECTURE AND METHODOLOGY
      1. Preprocessing Phase
      2. Evaluation Phase
      3. Result Analysis Phase
    7. ARCHITECTURAL APPROACH
      1. Service Invocation Strategies
      2. Evaluating QoS Attributes Using AOP
        1. TCP Reassembly and Evaluation Algorithm
    8. APPROACHES FOR QOS AND SLA SPECIFICATION
      1. Policies
      2. Contracts
      3. Implicit
    9. WS-POLICY
    10. WS-AGREEMENT
    11. RELATED WORK
    12. CONCLUSION
    13. REFERENCES
    14. ENDNOTE
  21. Compilation of References
  22. About the Contributors