Securing Web Services: Practical Usage of Standards and Specifications

Securing Web Services: Practical Usage of Standards and Specifications

Panos Periorellis (Newcastle University, UK)
Indexed In: SCOPUS View 2 More Indices
Release Date: October, 2007|Copyright: © 2008 |Pages: 420
ISBN13: 9781599046396|ISBN10: 1599046393|EISBN13: 9781599046419|DOI: 10.4018/978-1-59904-639-6

Description

Web services are a business-driven technology, as they have arisen from a need for on-demand services and just-in-time integration to enable the rapid exploitation of market opportunities. Security challenges have accelerated alongside the rapid advances in this domain.

The security requirement standards address a number of security and dependability issues. Securing Web Services: Practical Usage of Standards and Specifications collects a complete set of studies that address the security and dependability challenges of Web services and the development of protocols to meet those challenges. Encompassing a complete range of topics including specifications for message level security, transactions, and identity management, this Premier Reference Source enables libraries to provide researchers with an authoritative guide to one of the most challenging technological topics of our time.

Topics Covered

The many academic areas covered in this publication include, but are not limited to:

  • GRID Security
  • Message Level Integrity and Reliability
  • SAML
  • SOAP Message Management
  • Standards Composition
  • Web Services and the GRID
  • Web Services architectures
  • Web Services Challenges
  • Web services discovery
  • Web Services Policy
  • Web services security
  • Web Services Specifications
  • Web Services Standards
  • Web Services Trust
  • XACML

Reviews and Testimonials

This book includes chapters with engaging technical details, as well as thought provoking ideas from several major IT companies and world renowned academics.

– Panos Periorellis, Newcastle University, UK

There is likely something of great interest to every reader concerned with recent research activity in Web services and security. Summing Up: Recommended. Upper-division undergraduate through professional software engineering collections.

– CHOICE, Vol. 45, No. 09 (May 2008)

Fourteen chapters share experiences implementing web service security mechanisms on different platforms, combining architectural styles with web services, and controlling access through authorization, WS-Policy, X-GTRBAC, SAML, and SACML.

– Book News Inc. (2008)

This book is an excellant demonstration of recent research and studies on a variety of topics associated with Web service security. It provides student, practitioners, and researchers with an essential resource.

– Library Hi Tech Journal (2008)

Table of Contents and List of Contributors

Search this Book:
Reset

Preface

Editing this book is the outcome of several years of research and publishing in the areas of dependability and security which are both fields of high importance that are constantly expanding. The application domain is that of Web Services and my most recent work has been targeted towards making sense of the standards and specifications available in this new arena, while at the same time providing security solution for various distributed applications. Web services are a business driven technology, as they have arisen out of a need for services on demand and just-in-time integration, to enable the rapid exploitation of market opportunities. The Web Service ideology of late binding seems to present the ideal solution, as it enables loosely coupled organizational services to collaborate without any prior transactional history. Integration is abstracted to a new level; that of XML and dependability mechanisms that stem from such specifications, are targeted at this particular level of abstraction. This abstracted approach to integration does have drawbacks however, rooted in the trust and security issues that arise from doing business in such a manner. The security and dependability requirements themselves in the Web Services arena are not new. They have in fact been accompanying distributed computing since its beginnings. There have been more than 30 standards and specifications proposed to address security issues and provide mechanisms for authorization, authentication, confidentiality, integrity and non-repudiation. Each of these proposed specifications span across a number of security and dependability related issues. However, despite such a large number of specifications, there appears to be no clear consensus regarding the overall architectural framework. This book is a contribution towards this need.

I received a large number of proposals which consequently resulted in large number of potential chapters. I conducted a highly skilled reviewing team composed largely of fellow academics and IT professionals that helped me through the selection process and eventually narrow it down to the 14 chapters included in the book. Let us have a quick look at the structure of the book.

The book kicks off with the chapter contribution of Padmanabhuni and Adarkar. Through a set of core security requirements for web services they discuss and compare several mechanisms available for addressing those challenges from current standards to specifications under review. In addition, their attempt to address future trends in the domain of web service security, make this chapter a very valuable contribution.

Shrideep Pallickara, Geoffrey Fox et al discuss how service oriented architectures are envisaged using web services. They address a number of specifications and as such provide a valuable insight into some of the core elements of this book.

Barbara Carminati et al address the issue of Web Service composition and discuss the challenges in building large applications from modular pieces of software (Web Services). Focusing on dependability the authors provide an overview of the main security requirements that must be taken into account when composing Web services. In addition a detailed survey of the related literature and standards relevant to Web services are outlined. Finally, the authors present a proposal for a brokered architecture to support secure Web services composition.

Nick Cook et al tackles a specific security requirement; that of non repudiation and provides a thorough discussion of the problem of making high-value business-to-business (B2B) interactions non-repudiable. The chapter presents the design and implementation details of the authors’ novel Web services-based middleware that addresses non-repudiable interactions using existing Web service standards.

The subject of access control sets off with the contribution of David Chadwick and his chapter on dynamic delegation of access control rights. David enumerates the requirements for delegation of authority, discusses the various implementation and architectural models and finally highlights the essential elements of such an approach. David’s authority and expertise in the field make this chapter on f the most valuable contribution of the book.

Rafae Bhatti from IBM’s Almaden Research Center describe and at the same time defend their effort at defining a new access control policy description language for web services. They make use some of the current web services standards and show how their effort can be integrated with existing technologies such as WS-Policy to provide a robust, fine grained mechanism for access control.

We continue our discussion on policies and see how these can potentially govern Web Service interactions with the contribution by Clemente et al. Felix provides an evaluation of the ongoing efforts to use semantically rich ontological languages to represent policies for distributed systems while at the same time highlighting the architectural considerations and implementation aspects of those efforts.

Asuman Dogac et al. concludes the access control part of the book with what is probably the most widely used of the Web Service standards, namely XACML and SAML. The authors demonstrate how they can be combined to provide an overall authentication and authorization mechanism and at the same time discuss their pros and cons.

Kostantin Beznosov presents an experience report on designing and implementing an architecture for protecting enterprise-grade Web service applications hosted by ASP.NET. Kosta deployes his invaluable insight into .NET security mechanisms to discuss design patterns and best practices for constructing flexible and extensible authentication and authorization logic for .NET Web Services

Kaliontzoglou et al discusses a particular domain that of e-government and in this light the authors outline specific requirements for e-government services, interoperability and security. Their chapter presents three innovative e-government architecture and implementation strategies based on web service technologies technologies, focusing on their security and interoperability aspects.

Asif Akram presents an industrial-based case study that provides a pragmatic test bed for evaluating Web service technologies against emerging GRID scenarios. The author discusses issues such as state-full interactions, interoperability, integration and others.

Aisha Naseer and Lampros Stergoulias discuss infrastructural aspects of GRID computing and argue that Grids should be developed using the underlying web infrastructure and GRID services should be integrated with Web Services using inheritance techniques to produce Grid-supported Web Services.

David Meredith addresses message level reliability by providing a lot of valuable technical details on WSDL interface style, strength of data typing and approach to data binding and validation to demonstrate how these have important implications on application security (and interoperability). David shows how these Web service styles and implementation choices must be carefully considered and applied correctly by providing implementation examples and best practice recommendations.

The book concludes with Christian Platzer et al raising quality of service related concerns. Focusing on general Web services dependability issues while leveraging his expertise and experience in distributed computing, his chapter deals with the various ways of describing, bootstrapping and evaluating QoS attributes. The chapter addresses a way to bootstrap the most important performance and dependability values.

My main aim is to address both sides of the spectrum; namely developers that face security requirements in the arena of web services on a day to day basis as well as academics. As such I worked tirelessly to maintain the balance between academic research and industrial practice. As a result the books includes chapters with engaging technical details as well as thought provoking ideas from several major IT companies as well as world renowned academics.

Author(s)/Editor(s) Biography

Panos Periorellis is a computing scientist specializing in security and dependability matters for distributed computing and he has been at the forefront of the development of concepts such as systems of systems and virtual organizations. He currently holds a senior research position at the University of Newcastle upon Tyne in the UK, while at the same time is consulting on security issues for major IT companies. He has written numerous papers in the areas of Web services, and this book constitutes his first editorial effort. In addition, he acts as a reviewer for several journals and participates in various conference and workshop program committees. He maintains strong links with several industrial partners in telecommunications, transactional technologies, and software engineering. As a brief biographical note, he joined the Department of Computing Science at the University of Newcastle upon Tyne in June 2000 as a research associate, shortly after successfully completing his PhD in the area of enterprise modeling, under the supervision of Professor John Dobson. Working on several research projects, he carried out novel and innovative research into areas such as systems integration and security for distributed systems. He was promoted to senior member of academic staff in March 2004, and started researching into issues of security and trust for Web services. Since 1997, he has published over 40 papers on distributed computing, Web and Internet programming, peer-to-peer networks, organizational aspects of software engineering, complex systems, and natural language processing. His research interests remain in the areas of distributed computing, dependability, and complex systems. He holds a PhD in computing science, and an MSc and a BSc (Hons) in information systems.

Indices