Security for Web Services and Service-Oriented Architectures / Edition 1

Security for Web Services and Service-Oriented Architectures / Edition 1

by Elisa Bertino, Lorenzo Martino, Federica Paci, Anna Squicciarini
     
 

ISBN-10: 354087741X

ISBN-13: 9783540877417

Pub. Date: 11/11/2009

Publisher: Springer Berlin Heidelberg

Web services based on the extensible Markup Language (XML), the Simple Object Access Protocol (SOAP), and related standards, and deployed in Service-Oriented Architectures (SOA), are the key to Web-based interoperability for applications within and across organizations. It is crucial that the security of services and their interactions with users is ensured if Web

Overview

Web services based on the extensible Markup Language (XML), the Simple Object Access Protocol (SOAP), and related standards, and deployed in Service-Oriented Architectures (SOA), are the key to Web-based interoperability for applications within and across organizations. It is crucial that the security of services and their interactions with users is ensured if Web services technology is to live up to its promise. However, the very features that make it attractive - such as greater and ubiquitous access to data and other resources, dynamic application configuration and reconfiguration through workflows, and relative autonomy-conflict with conventional security models and mechanisms.

Elisa Bertino and her coauthors provide a comprehensive guide to security for Web services and SOA. They cover in detail all recent standards that address Web service security, including XML Encryption, XML signature, WS-Security, and WS-SecureCoversation, as well as recent research on access control for simple and conversation-based Web services, advanced digital identity management techniques, and access control for Web-based workflows. They explain how these implement means for identification, authentication, and authorization with respect to security aspects such as integrity, confidentiality, and availability.

This book will serve practioners as a comprehensive critical reference on Web Service standards with illustrative examples and analyses of critical issues researchers will use it as a state-of-the-art overview of ongoing research and innovative new directions; and graduate students will use it as a textbook on advanced topics in computer and system security.

Product Details

ISBN-13:
9783540877417
Publisher:
Springer Berlin Heidelberg
Publication date:
11/11/2009
Edition description:
2010
Pages:
226
Product dimensions:
6.40(w) x 9.30(h) x 0.80(d)

Table of Contents

1 Introduction 1

1.1 Security for Web Services and Security Goals 1

1.2 Privacy 3

1.3 Goals and Scope of the Book and its Intended Audience 4

1.4 An Overview of the Book's Content 5

2 Web Service Technologies, Principles, Architectures, and Standards 9

2.1 SOA and Web Services Principles 10

2.2 Web Services Architecture 13

2.3 Web Services Technologies and Standards 13

2.3.1 SOAP 15

2.3.2 Web Services Description Language (WSDL) 16

2.3.3 Service Discovery: Universal Description, Discovery and Integration (UDDI) 18

2.3.4 Considerations 21

2.4 Web Services Infrastructure 22

3 Web Services Threats, Vulnerabilities, and Countermeasures 25

3.1 Threats and Vulnerabilities Concept Definition 26

3.2 Threat Modeling 28

3.3 Vulnerability Categorizations and Catalogs 36

3.4 Threat and Vulnerabilities Metrics 40

4 Standards for Web Services Security 45

4.1 The Concept of Standard 47

4.2 Web Services Security Standards Framework 48

4.3 An Overview of Current Standards 49

4.3.1 "Near the wire" security standards 49

4.3.2 XML Data Security 51

4.3.3 Security Assertions Markup Language (SAML) 53

4.3.4 SOAP Message Security 56

4.3.5 Key and Trust Management standards 60

4.3.6 Standards for Policy Specification 64

4.3.7 Access Control Policy Standards 67

4.4 Implementations of Web Services Security Standards 73

4.5 Standards-related Issues 74

5 Digital Identity Management and Trust Negotiation 79

5.1 Overview of Digital Identity Management 80

5.2 Overview of Existing Proposals 82

5.2.1 Liberty Alliance 83

5.2.2 WS-Federation 86

5.2.3 Comparison of Liberty Alliance and WS-Framework 89

5.2.4 Other Digital Identity ManagementInitiatives 90

5.3 Discussion on Security of Identity Management Systems 93

5.4 Business Processes 95

5.4.1 Deploying Multifactor Authentication for Business Processes 96

5.4.2 Architecture 97

5.5 Digital Identity Management in Grid Systems 97

5.6 The Trust Negotiation Paradigm and its Deployment using SOA 100

5.7 Trust Negotiation and Digital Identity Management 101

5.7.1 Automated Trust Negotiation and Digital Identity Management Systems: Differences and Similarities 102

5.8 Integrating Identity Management and Trust Negotiations 105

5.8.1 Architecture of a SP in FAMTN 107

5.8.2 An Example of a Use Case: FSP in Liberty Web Services Framework 108

5.9 Negotiations in an FAMTN Federation 109

5.9.1 Ticketing system in an FAMTN Federation 109

5.9.2 Implementing Trust Tickets Through Cookies 110

5.9.3 Negotiation in Identity Federated Systems 112

5.10 Bibliographic Notes 113

6 Access Control for Web Services 115

6.1 Approaches to Enforce Access Control for Web Services 116

6.2 WS-AC1: An Adaptive Access Control Model for Stateless Web Services 118

6.2.1 The WS-AC1 Model 120

6.2.2 WS-AC1 Identity Attribute Negotiation 125

6.2.3 WS-AC1 Parameter Negotiation 128

6.3 An Access Control Framework for Conversation-Based Web services 132

6.3.1 Conversation-Based Access Control 133

6.3.2 Access Control and Credentials 134

6.3.3 k-Trust Levels and Policies 135

6.3.4 Access Control Enforcement ; 136

6.3.5 K-Trustworthiness Levels Computation 138

6.3.6 Architecture of the Enforcement System 145

7 Secure Publishing Techniques 147

7.1 The Merkle Signatures 148

7.1.1 Merkle Signatures for Trees 148

7.1.2 Merkle Signatures for XML Documents 149

7.1.3 Merkle Hash Verification for Documents with Partially Hidden Contents 150

7.2 Application of the Merkle Signature to UDDI Registries 152

7.2.1 Merkle Signature Representation 152

7.2.2 Merkle Hash Path Representation 153

7.2.3 A Comparison of Merkle Signatures with XML Signatures 154

7.3 Bibliographic Notes 157

8 Access Control for Business Processes 159

8.1 Access Control for Workflows and Business Processes 161

8.2 Web Services Business Process Execution Language (WS-BPEL) 164

8.3 RBAC-WS-BPEL: An Authorization Model for WS-BPEL Business Processes 166

8.4 RBAC XACML: Authorization Schema 170

8.5 Business Process Constraint Language 170

8.6 RBAC-WS-BPEL Authorization Specification 171

8.7 RBAC-WS-BPEL Enforcement 172

8.8 RBAC-WS-BPEL System Architecture 174

8.9 Handling activity Execution and RBAC-WS-BPEL Enforcement 176

9 Emerging Research Trends 179

9.1 Security as a Service 179

9.1.1 Motivations ISO

9.1.2 Reference Framework for Security Services 181

9.1.3 Authentication Service 182

9.2 Privacy for Web Services 186

9.2.1 P3P and the Privacy-Aware RBAC Model 187

9.2.2 Privacy-Preserving Data Management Techniques 192

9.2.3 W3C Privacy Requirements for Web Services and Research Issues 193

9.3 Semantic Web Security 194

9.4 Concluding Remarks 195

A Access Control 197

A.1 Basic Notions 197

A.1.1 The Protection Matrix Model 198

A.1.2 Access Control Lists and Capability Lists 199

A.1.3 Negative Authorizations 199

A.2 Role-Based Access Control 200

A.3 Concluding Remarks 204

References 205

Index 223

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >