Security for Web Services

2013 ◽  
pp. 336-362
Author(s):  
Lorenzo Martino ◽  
Elisa Bertino
Keyword(s):  
Web Services ◽  
Access Control ◽  
Identity Management ◽  
Security Requirements ◽  
Research Issues ◽  
Single Sign On ◽  
Web Service Security ◽  
Web Services Security ◽  
Management Techniques ◽  
Management Functions

This article discusses the main security requirements for Web services and it describes how such security requirements are addressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide. Covered standards include most of the standards encompassed by the original Web Service Security roadmap proposed by Microsoft and IBM in 2002 (Microsoft and IBM 2002). They range from the ones geared toward message and conversation security and reliability to those developed for providing interoperable Single Sign On and Identity Management functions in federated organizations. The latter include Security Assertion Markup Language (SAML), WS-Policy, XACML, that is related to access control and has been recently extended with a profile for Web services access control; XKMS and WS-Trust; WS-Federation, LibertyAlliance and Shibboleth, that address the important problem of identity management in federated organizations. The article also discusses the issues related to the use of the standards and open research issues in the area of access control for Web services and innovative digital identity management techniques are outlined.

Security for Web Services

2009 ◽  
Vol 6 (4) ◽  
pp. 48-74 ◽  
Author(s):  
Lorenzo D. Martino ◽  
Elisa Bertino
Keyword(s):  
Web Services ◽  
Access Control ◽  
Identity Management ◽  
Security Requirements ◽  
Research Issues ◽  
Single Sign On ◽  
Web Service Security ◽  
Web Services Security ◽  
Management Techniques ◽  
Management Functions

This article discusses the main security requirements for Web services and it describes how such security requirements are addressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide. Covered standards include most of the standards encompassed by the original Web Service Security roadmap proposed by Microsoft and IBM in 2002 (Microsoft and IBM 2002). They range from the ones geared toward message and conversation security and reliability to those developed for providing interoperable Single Sign On and Identity Management functions in federated organizations. The latter include Security Assertion Markup Language (SAML), WS-Policy, XACML, that is related to access control and has been recently extended with a profile for Web services access control; XKMS and WS-Trust; WS-Federation, Liberty Alliance and Shibboleth, that address the important problem of identity management in federated organizations. The article also discusses the issues related to the use of the standards and open research issues in the area of access control for Web services and innovative digital identity management techniques are outlined.

Access Control and Information Flow Control for Web Services Security

2016 ◽  
Vol 11 (1) ◽  
pp. 44-76 ◽  
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Using SAML and XACML for Web Service Security&Privacy

2008 ◽  
pp. 182-205 ◽  
Author(s):  
Tuncay Namli ◽  
Asuman Dogac
Keyword(s):  
Web Services ◽  
Access Control ◽  
Web Service ◽  
User Authentication ◽  
Security And Privacy ◽  
Web Service Security ◽  
Technology Changes ◽  
Attribute Information ◽  
Healthcare Monitoring ◽  
Service Standards

Web service technology changes the way of conducting business by opening their services to the whole business world over the networks. This property of Web services makes the security and privacy issues more important since the access to the services becomes easier. Many Web service standards are emerging to make Web services secure and privacy protected. This chapter discusses two of them; SAML (OASIS, 2005) and XACML (OASIS, 2005). SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. In other words, SAML handles the user authentication and also carries attribute information for authorization (access control). XACML is the complementary standard of OASIS to make the access control decisions. This work is realized within the scope of the IST 027074 SAPHIRE Project which is an intelligent healthcare monitoring and decision support system.

Access Control and Information Flow Control for Web Services Security

2020 ◽  
pp. 185-219
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Security in Service-Oriented Architecture

2005 ◽  
pp. 292-316 ◽  
Author(s):  
Srinivas Padmanabhuni ◽  
Hemant Adarkar
Keyword(s):  
Web Services ◽  
Service Oriented Architecture ◽  
Security Requirements ◽  
Online Systems ◽  
Pragmatic Analysis ◽  
Service Oriented ◽  
Web Services Security ◽  
Soa Security ◽  
Security Standards

This chapter covers the different facets of security as applicable to Service-Oriented Architecture (SOA) implementations. First, it examines the security requirements in SOA implementations, highlighting the differences as compared to the requirements of generic online systems. Later, it discusses the different solution mechanisms to address these requirements in SOA implementations. In the context of Web services, the predominant SOA implementation standards have a crucial role to play. This chapter critically examines the crucial Web services security standards in different stages of adoption and standardization. Later, this chapter examines the present-day common nonstandard security mechanisms of SOA implementations. Towards the end, it discusses the future trends in security for SOA implementations with special bearing on the role of standards. The authors believe that the pragmatic analysis of the multiple facets of security in SOA implementations provided here will serve as a guide for SOA security practitioners.

Research on Policy-Based Service-Oriented Computing Security

2011 ◽  
Vol 55-57 ◽  
pp. 602-607
Author(s):  
Yong Sheng Zhang ◽  
Qin Luo ◽  
Xue Wu Nie ◽  
Xiao Dong Bi
Keyword(s):  
Web Services ◽  
Access Control ◽  
Decision Model ◽  
Control Mechanism ◽  
Description Language ◽  
Service Oriented Computing ◽  
Service Oriented ◽  
Web Services Security ◽  
Policy Description Language ◽  
The Web

This article described the Web Services security protocols, and the policy description language XACML was analyzed in detail in the Web Services. XACML is characterized by the strong ability of expansion and the favorable inter-operation in the access control of the Web Services, which are concluded from the comparison in both SOA strategic architectures. A collection of XACML policy combination algorithms and decision algorithms were discussed in the policy-based service-oriented computing, then the policy control and access control mechanism were also illustrated, and the corresponding decision model was described, at last the development of XACML was prospected.

Secure Web Service Composition

2008 ◽  
pp. 50-70
Author(s):  
Barbara Carminati ◽  
Elena Ferrari ◽  
Patrick Hung
Keyword(s):  
Web Services ◽  
Web Service ◽  
Service Composition ◽  
Web Service Composition ◽  
Security Requirements ◽  
Primary Concern ◽  
Web Services Composition ◽  
Security Issues ◽  
Services Composition ◽  
Web Service Security

Web service security is today receiving growing attention, and enterprises are realizing that effective security management is essential for earning and maintaining trust in their services. One of the major benefits of Web services is that it is possible to dynamically combine different services together to form a more complex service. Also, in this case, security issues are a primary concern. In this chapter, we focus on security issues that arise when composing Web services. We first provide an overview of the main security requirements that must be taken into account when composing Web services. Then, we survey literature and standards related to Web services composition. Finally, we present a proposal for a brokered architecture on support of the secure composition of Web services.

Sign in / Sign up

Export Citation Format

Share Document