CHAPTER 11

Patterns for Web Services Security

You are what you do, not what you say you’ll do.

Carl Gustav Jung

11.1 Introduction

Service-oriented architectures (SOAs) and web services are special cases of distributed systems. Distributed systems are typically heterogeneous systems that are accessible to a wide variety of institution partners, customers or mobile employees, and introduce a new variety of security threats. To protect its assets, an organization needs to define security policies, which are high-level guidelines that specify the states in which the system is considered to be secure. These policies need to be enforced by security mechanisms. In large organizations, the policies may be issued by different actors, making their management difficult. Moreover, they need to be enforced for a variety of resources. To make things more difficult, they may have to follow government or institution regulations. One way to allow interoperability, apply security, and enforce compliance with regulations is through the use of standards that define architectures to guarantee that all participants will follow the same rules in their interactions.

There are many web services security standards, which are rather complex and sometimes overlap; representing them as patterns makes them easier to understand and to compare with other patterns. This chapter presents our work on security patterns for web services and their standards. Many patterns have been identified in the web services community, ...