Abstract
During the past years significant standardization work in web services technology has been made. As a consequence of these initial efforts, web services foundational stable specifications have already been delivered. Now, it is time for the industry to standardize and address the security issues that have risen from this paradigm. Great activity is being carried out on this subject. This article demonstrates, however, that a lot of work needs to be done in web services security. It explains the new web services security threats and mentions the main initiatives and their respective specifications that try to solve them. Unaddressed security issues for each specification are stated. In addition, current general security concerns are detailed and future researches proposed.
This research is part of the CALIPO project supported by Dirección General de Investigación of the Ministerio de Ciencia y Tecnología (TIC2003-07804-C05-03), and the MESSENGER project, supported by the Consejería de Ciencia y Tecnología of the Junta de Comunidades de Castilla-La Mancha (PCC-03-003-1).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
W3C XML Signature Syntax and Processing- W3C Recommendation February 12 (2002), See http://www.w3.org/TR/xmldsig-core/
National Institute of Standards and Technology. Role-based Access Control - Draft April 4, 2003 (2003), See http://csrc.nist.gov/rbac/rbac-std-ncits.pdf
UDDI Version 3.0.1 - UDDI Spec Technical Committee Specification 14 October 2003 (2003), See http://uddi.org/pubs/uddi-v3.0.1-20031014.htm
W3C Extensible Markup Language (XML) 1.1 - W3C Recommendation February 04, 2004 (2004), See http://www.w3.org/TR/xml11
Adams, C., Boeyen, S.: UDDI and WSDL Extensions for Web Services: a security framework. In: Proceedings of the ACM Workshop on XML Security, Fairfax, VA, USA (2002)
Liberty Alliance Project. Introduction to the Liberty Alliance Identity Architecture (2003), See http://www.projectliberty.org/resources/whitepapers/LAP%20Identity%20Architecture%20Whitepaper%20Final.pdf
WSAS. Web Services Architecture Specification - WC3 Working Draft August 8, 2003 (2003), See http://www.w3.org/TR/2003/WD-ws-arch-20030808/
Box, D.: Understanding GXA (2002), See http://msdn.microsoft.com/library/default.asp?url=/library/enus/dngxa/html/gloxmlws500.asp
Casati, F., Shan, E., Dayal, U., Shan, M.-C.: Business-Oriented Management of Web Services. Communications of the ACM 46(10), 25–28 (2003)
Chang, S., Chen, Q., Hsu, M.: Managing Security Policy in Large Distributed Web Services Environment. In: Proceedings of the 27th Annual International Computer Software and Applications Conference (COMPSAC 2003), Dallas, Texas (2003)
Gall, N., Perkins, E.: The Intersection of Web Services and Security Management: A Service-Oriented Security Architecture. Computer Associates International, Inc. (2003)
Geuer-Pollmann, C.: XML Pool Encryption. In: Proceedings of the Workshop on XML Security, ACM Press, Fairfax (2002)
Harman, B., Flinn, D.J., Beznosov, K., Kawamoto, S.: Mastering Web Services Security. Wiley, Chichester (2003)
RSA Security Inc. Web Services Security (2003), See http://techlibrary.banktech.com/data/detail?id=1065108654_652&type=RES&x=669609469
Web Services Description Language (WSDL) 1.1 - W3C Note 15 March 2001 (2001), See http://www.w3.org/TR/wsdl
Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1 - OASIS Standard, 2 September 2003 (2003), See http://www.oasisopen.org/committees/download.php/3404/oasis-sstc-saml-sec-consider-1.1.pdf
O’Neill, M., Hallam-Baker, P., Cann, S.M., Shema, M., Simon, E., Watters, P.A., White, A.: Web Services Security. McGraw-Hill, New York (2003)
Papazoglou, M.P., Georgakopoulo, D.: Service-Oriented Computing. Communications of the ACM 46(10), 25–28 (2003)
W3C SOAP Version 1.2 Part 0: Primer (2003), See http://www.w3.org/TR/2003/RECsoap12-part0-20030624/
Sedukhin, I.: End-to-End Security for Web Services and Services Oriented Architectures. Computer Associates, Inc. (2003)
W3C XML Key Management Specification (XKMS) - W3C Note 30 March 2001 (2001), See http://www.w3.org/TR/xkms/
WS-Security Profile for XML-based Tokens - Specification 28 August 2002 (2002), See http://www-106.ibm.com/developerworks/webservices/library/ws-sectoken.html
SAML. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 (2003), See http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf
W3C XML Encryption Syntax and Processing - W3C Recommendation December 10, 2002 (2002), See http://www.w3.org/TR/xmlenc-core/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gutiérrez, C., Fernández-Medina, E., Piattini, M. (2004). A Survey of Web Services Security. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds) Computational Science and Its Applications – ICCSA 2004. ICCSA 2004. Lecture Notes in Computer Science, vol 3043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24707-4_109
Download citation
DOI: https://doi.org/10.1007/978-3-540-24707-4_109
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22054-1
Online ISBN: 978-3-540-24707-4
eBook Packages: Springer Book Archive