Authenticated Web Services: A WS-Security Based Implementation ?
Emiliano De Cristofaro
Vincenzo Auletta2000
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Web Services technology provides software developers with a wide range of tools and models to produce innovative distributed appli- cations. After the initial diusion of the standard technology the atten- tion of the developers has focused on the ways to secure the information flows between clients and service providers. For this purpose several stan- dards have been proposed and adopted.
Related papers
Security for Web Services
International Journal of Web Services Research, 2009
This article discusses the main security requirements for Web services and it describes how such security requirements are addressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide. Covered standards include most of the standards encompassed by the original Web Service Security roadmap proposed by Microsoft and IBM in 2002 (Microsoft and IBM 2002). They range from the ones geared toward message and conversation security and reliability to those developed for providing interoperable Single Sign On and Identity Management functions in federated organizations. The latter include Security Assertion Markup Language (SAML), WS-Policy, XACML, that is related to access control and has been recently extended with a profile for Web services access control; XKMS and WS-Trust; WS-Federation, Liberty Alliance and S...
The Security of Web Services: Secure Communication and Identity Management
2015
Service Oriented Architectures have become the new trend in the world of communication on the web. Especially web services are the high-performance specification of service-oriented architectures. The use of confidential data on the Web becomes the primary problem in the secure communication over the web. The solution proposed in this paper is a secure communication tool OCS based on the principals of SAML standard and Single Sign-On. Our solution proposes a new approach which collaborates strong points of SAML standard and single sign-on method. The implementation of this approach is in the form of a platform or a tool which provide a secure communication between web services. Thus, a future approach that exceeds the level of authentication and address the level of access control, likewise and as a further step, prepare an evaluation of the most important technologies which provide Single Sign-On possibility and secure communication context between heterogeneous web services.
An Overview of Web Services Security
BT Technology Journal, 2000
Security and Web Services are consistently reported among the top technologies of interest to businesses. Concerns about security are a major deterrent to companies considering use of the technology. This paper attempts to give an overview of the current state of Web Services security. The main body of the paper is a tour through key concepts used in Web Services security. Examples based on software demonstrators built by the authors are used to explain how the ideas are used in combination to achieve particular aims. The state of play as regards standards is also reviewed. The concluding section gives some pointers as to active research topics.
Authorization service for Web services and its implementation
Proceedings. IEEE International Conference on Web Services, 2004., 2004
In this paper, we introduce the authorization issues for Web Services. We introduce the authorization service provided by Microsoft® .NET MyServices and then briefly describe our proposed modifications and extensions to the authorization service. We discuss the application of the extended authorization model to a healthcare system built using Web Services. We used the XML access control language (XACL) to
Secure Authorisation for Web Services
IFIP International Federation for Information Processing, 2004
In this paper, we investigate the authorisation service provided by Microsoft®. NET MyServices [1]. We propose modifications and extensions to eXtensible Markup Language (XML)[2] based data structures' schemas to support a range of commonly used access ...
Web of Services Security
Datenschutz und Datensicherheit - DuD, 2015
This document describes how to use the UsernameToken with the Web Services Security (WSS) specification.
An Architecture for Unifying Web Services Authentication and Authorization
2005 International Conference on Service Oriented Computing, 2005
Security issues are one of the major deterrents to Web Services adoption in mission critical applications and to the realization of the dynamic e-Business vision of Service Oriented Computing. Role Based Access Control (RBAC) is a common approach for authorization as it greatly simplifies complex authorization procedures in enterprise information systems. However, as most RBAC implementations rely on the manual setup of pre-defined user-ID and password combinations to identify the particular user, this makes it very hard to conduct dynamic e-Business as the service requestor and service provider must have prior knowledge of each other before the transaction. This paper proposes a new Web Services security architecture which unifies the authorization and authentication processes by extending current digital certificate technologies. It enables secure Web Service authorization decisions between parties even if previously unknown to each other and it also enhances the trust-worthiness of service discovery.
Web Services Security: Threats and Challenges
One of the leading developments nowadays within distributed computing is Web Services. Essentially, a Web Service can easily be characterized as an XML structured interface that can easily be utilized by a client program to conjure a computing solution dispersed within a network by means of standard Internet protocols. In order for Web Services to turned out to be a widely used approach for the program to program communication, although, there necessity to be a reliable framework in place for exactly how Web Services that makes use of the general public Internet for transport can be appropriately safeguarded as well as secured. As the circumstances seems nowadays, the majority of services are not really openly revealed however they are frequently implemented within a corporate and business, exclusive network. This hinders the visualization of Web Services that can be openly published in directories which prospective consumers can browse to discover an appropriate service to gratify their particular requirement. This paper explains exactly what the standard threats and obstacles can be found in implementing secured Web Services over openly available and vulnerable networks, as they are described within the literature. It then proceeds to present an introduction to a few of the additional acknowledged security guidelines which happen to be starting to come through around.
Security for web services: Standards and research issues
2009
Abstract This article discusses the main security requirements for Web services and it describes how such security requirements are addressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide.
A Survey on Authorization Systems for Web Applications
Web services are the most important point of usage for the modern web architecture. The Service oriented architecture (SOA) used in web services offers a simple platform for integrating heterogeneous distributed web applications and service. The distributed and open nature of the present system makes it vulnerable to security issues such as Web service Description Language (WSDL) spoofing, Middleware Hijacking, etc. Assuring security for the web services to solve all security flaws is difficult. Authorization is an important aspect for assuring security. Authorization failure can create much vulnerability for the system security using web services which are distributed in nature. In this paper a survey of the authorization techniques for web services based application.
A Single Sign-On Framework for Web Services-based Distributed Applications
2005
The basic specifications of Web Services completely ignored the need for secure services that are based on a solid authentication and authorization infrastructure. An enhancement of the basic specifications is in progress, but takes time to complete. A large-scale application built today is still in need of an authentication and authorization infrastructure to offer its services to the customers of the service provider and only to the customers. In the following such an infrastructure is described that is able to empower Web Services to properly handle authentication and authorization. This infrastructure is designed as services that can be used by any demanding Web Service.
Web Services Security – Implementation and Evaluation Issues
Communications in Computer and Information Science, 2008
Web services development is a key theme in the utilization the commercial exploitation of the semantic web. Paramount to the development and offering of such services is the issue of security features and they way these are applied in instituting trust amongst participants and recipients of the service. Implementing such security features is a major challenge to developers as they need to balance these with performance and interoperability requirements. Being able to evaluate the level of security offered is a desirable feature for any prospective participant. The authors attempt to address the issues of security requirements and evaluation criteria, while they discuss the challenges of security implementation through a simple web service application case.
An Authorization Architecture for Web Services
Data and Applications Security XIX, 2005
This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The proposed architecture has several benefits. It is able to support legacy applications exposed as Web services as well as new Web service based applications built to leverage the benefits offered by the service oriented architecture; it can support multiple access control models and mechanisms and is decentralized and distributed and provides flexible management and administration of Web services and related authorization information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to exposed Web services. The architecture is currently being implemented within the .NET framework.
Web Services Security: Is the Problem Solved?
Information Systems Security, 2004
During the past years significant standardization work in web services technology has been made. As a consequence of these initial efforts, web services foundational stable specifications have already been delivered. Now, it is time for the industry to standardize and address the security issues that have risen from this paradigm. Great activity is being carried out on this subject. This article demonstrates, however, that a lot of work needs to be done in web services security standardization. It explains the new web services security threats and mentions the main initiatives and their respective specifications that try to solve them. Unaddressed security issues for each specification are stated. In addition, current general security concerns are detailed and a general solution is proposed.
A survey of web services security
… Science and Its …, 2004
During the past years significant standardization work in web services technology has been made. As a consequence of these initial efforts, web services foundational stable specifications have already been delivered. Now, it is time for the industry to standardize and address the security issues that have risen from this paradigm. Great activity is being carried out on this subject. This article demonstrates, however, that a lot of work needs to be done in web services security. It explains the new web services security threats and mentions the main initiatives and their respective specifications that try to solve them. Unaddressed security issues for each specification are stated. In addition, current general security concerns are detailed and future researches proposed.
Security Issues in Web Services
Web Services are a promising solution to an age-old need: fast and flexible information sharing among people and businesses. They represent the next phase of distributed computing, building on the shoulders of the previous distributed models. Web Services leverage the ubiquity of the Internet to link applications, systems, and resources within and among enterprises to enable exciting, new business processes and relationships with customers, partners, and suppliers around the world. They enable access to data that has previously been locked within corporate networks and accessible only by using specialized software. Along with the benefits of Web Services comes a serious risk: sensitive and private data can be exposed to people who are not supposed to see it. The security issues of Web Services in a distributed environment are a major concern of research. Web Services will never attain their tremendous potential unless we learn how to manage the associated risks. The paper therefore focuses on the general framework of security issues and the proposed solution to web services security risks.
On the design, implementation and application of an authorisation architecture for web services
International Journal of Information and Computer Security, 2007
This paper proposes an authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorisation of web services as well as the support for the management of authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has been implemented and integrated within the .NET framework. The authorisation architecture for web services is demonstrated using a case study in the healthcare domain. The proposed architecture has several benefits. First and foremost, the architecture supports multiple access control models and mechanisms; it supports legacy applications exposed as web services as well as new web service-based applications built to leverage the benefits offered by the Service-Oriented Architecture; it is decentralised and distributed and provides flexible management and administration of web services and related authorisation information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to web services deployed on those platforms.
Web Service Security Method To Soa Development
2009
Web services provide significant new benefits for SOAbased applications, but they also expose significant new security risks. There are huge number of WS security standards and processes. At present, there is still a lack of a comprehensive approach which offers a methodical development in the construction of secure WS-based SOA. Thus, the main objective of this paper is to address this needs, presenting a comprehensive method for Web Services Security guaranty in SOA. The proposed method defines three stages, Initial Security Analysis, Architectural Security Guaranty and WS Security Standards Identification. These facilitate, respectively, the definition and analysis of WS-specific security requirements, the development of a WS-based security architecture and the identification of the related WS security standards that the security architecture must articulate in order to implement the security services.
Design of New Architecture for Providing Secure Web Services
Proceedings of the World Congress on …, 2011
The main objective of this paper is to improve the end-to-end security properties of information flow in webbased applications which requires simple end-point software and extensions to existing security protocols. Web Service Platform(WSP) and ISO-WSP often perform all Web-servicerelated processing including security-sensitive information in the same protection domain, so the entire WSP may have access to security-sensitive information. To address this problem, an attempt is being made to develop a new architecture that decomposes the current WSPs into three parts executing in the separate protection domain.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.