Security Policies in Web Services

Security Policies in Web Services

Deepti Parachuri, Sudeep Mallick
DOI: 10.4018/978-1-60566-950-2.ch007
(Individual Chapters)
No Current Special Offers


Security is of fundamental concern in computing systems. This chapter covers the role of security policies in Web services. First, it examines the importance of policies in web services and explains the WS-Policy standard. It also highlights the relation of WS-Policy with other WS-* specifications. Next, it covers different facets of security requirements in SOA implementations. Later, it examines the importance of security policies in web services. It also presents the basic concepts of WS-Security policy language. WS-Security policy specification specifies a standard way to define and publish security requirements in an extensible and interoperable way. A service provider makes use of security policy to publish the security measures implemented to protect the service. Security policies can also be made customizable to meet the security preferences of different consumers. Towards the end, it discusses about the governance of security polices and also future trends in security policies for web services.
Chapter Preview

2. Background On Policies In Web Services

Policies are defined as information which can be used to modify the behavior of a system. There are two reasons for using policies in Web services for developing interoperable business processes. Firstly, policies permit managing Web services at a higher level where details of composition are separated from the behavior of Web services. Secondly, policies help in creating interoperable and adaptive service systems. Policies also address issues like how to deal with Web service unreliability, and how to substitute a Web service with an equivalent one?

There are many ways to associate policies with Web services. A simple scenario for application of policy is “Consumer sends a service request to Provider. If the service request conforms to Provider’s policy for requests, then Provider accepts the request, else it returns a fault status.” This situation exists, for instance, where Provider requires Consumer to assign a unique identifier to its request, in accordance with WS-Reliability. If it receives a request with no suitable identifier, then it will return a fault status. Provider may publish its policy in one or more number of ways, UDDI, WSDL, HTTP, LDAP, DNS or in SQL or SAML request/response messages. Policies can also be included in SOAP headers.

Complete Chapter List

Search this Book: