Abstract
Web Services Security (WS-Security) is a technology to secure the data exchanges in SOA applications. The security requirements for WS-Security are specified as a security policy expressed in Web Services Security Policy (WS-SecurityPolicy). The WS-I Basic Security Profile (BSP) describes the best-practices security practices for addressing the security concerns of WS-Security. It is important to prepare BSP-conformant security policies, but it is quite hard for developers to create valid security polices because the security policy representations are complex and difficult to fully understand. In this paper, we present a validation technology for security policy conformance with WS-Security messages. We introduce an Internal Representation (IR) representing a security policy and its validation rules, and a security policy is known to be valid if it conforms to the rules after the policy is transformed into the IR. We demonstrate the effectiveness of our validation technology and evaluate its performance on a prototype implementation. Our technology makes it possible for a developer without deep knowledge of WS-Security and WS-SecurityPolicy to statically check if a policy specifies appropriate security requirements.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Web Services Security: SOAP Message Security 1.1, http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
WS-SecurityPolicy 1.2, http://www.oasis-open.org/committees/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf
Basic Security Profile Version 1.0 Final Material, http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
Satoh, F., Yamaguchi, Y.: Generic Security Policy Transformation Framework for WS-Security. In: International Conference on Web Services (ICWS 2007), pp. 513–520. IEEE Press, New York (2007)
IBM WebSphere Application Server, http://www.ibm.com/software/webservers/appserv/was
Prennschutz-Schutzenau, S., Mukhi, N.K., Hada, S., Sato, N., Satoh, F., Uramoto, N.: Static vs. Dynamic Validation of BSP Conformance. In: International Conference on Web Services (ICWS 2009), pp. 919–927. IEEE Press, New York (2009)
Nakamura, Y., Satoh, F., Chung, H.V.: Syntactic Validation of Web Services Security Policies. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 319–329. Springer, Heidelberg (2007)
Bhargavan, K., Fournet, C., Gordon, A.D.: Verifying policy-based security for web services. In: 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 268–277 (2004)
Bhargavan, K., Fournet, C., Gordon, A.D., O’Shea, G.: An Advisor for Web Services Security Policies. In: ACM Workshop on Secure Web Services (2005)
Tziviskou, C., Nitto, E.D.: Logic-based Management of Security in Web Services. In: IEEE International Conference on Service Computing, pp. 228–235. IEEE Press, New York (2007)
Lee, A.J., Boyer, J.P., Olson, L.E., Gunter, C.A.: Defeasible security policy composition for web services. In: 4th ACM workshop on Formal methods in security, pp. 45–54 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Satoh, F., Uramoto, N. (2010). Validating Security Policy Conformance with WS-Security Requirements. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-16825-3_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16824-6
Online ISBN: 978-3-642-16825-3
eBook Packages: Computer ScienceComputer Science (R0)