Skip to main content
Springer Nature Link
Log in

Middleware Support for Complex and Distributed Security Services in Multi-tier Web Applications

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6542))

Included in the following conference series:

  • 859 Accesses

Abstract

The security requirements of complex multi-tier web applications have shifted from simple localized needs, such as authentication or authorization, to physically distributed but actually aggregated services, such as end-to-end data protection, non-repudiation or patient consent management. Currently, there is no support for integrating complex security services in web architectures, nor are approaches from other architectural models easily portable. In this paper we present the architecture of a security middleware, aimed at providing a reusable solution bringing support for complex security requirements into the application architecture, while addressing typical web architecture challenges, such as the tiered model or the lack of sophisticated client-side logic. We both evaluate the security of the middleware and present a case study and prototype implementation, which show how the complexities of a web architecture can be dealt with while limiting the integration effort.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Agreiter, B., Hafner, M., Breu, R.: A fair non-repudiation service in a web services peer-to-peer environment. Computer Standards & Interfaces 30(6), 372–378 (2008)

    Article  Google Scholar 

  2. Alireza, A., Lang, U., Padelis, M., Schreiner, R., Schumacher, M.: The challenges of corba security, pp. 61–72 (2000)

    Google Scholar 

  3. Anderson, J.P.: Computer security technology planning study volume ii. Technical report, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bredford, MA (October 1972)

    Google Scholar 

  4. Ball, J., Carson, D.B., Evans, I., Haase, K., Jendrock, E.: The java ee 5 tutorial. Sun Microsystems, Santa Clara (2006)

    Google Scholar 

  5. Cook, N.: Middleware Support for Non-repudiable Business-to-Business Interactions. PhD thesis, School of Computing Science, Newcastle University (2006)

    Google Scholar 

  6. Debie, E., De Ryck, P.: Non-repudiation middleware for web-based architectures. MSc thesis, Katholieke Universiteit Leuven (2009)

    Google Scholar 

  7. DeMichiel, L., Keith, M.: Enterprise javabeans, version 3.0. Sun Microsystems (2006)

    Google Scholar 

  8. Erlingsson, U., Schneider, F.: Irm enforcement of java stack inspection. In: IEEE Symposium on Security and Privacy, pp. 246–255 (2000)

    Google Scholar 

  9. Object Management Group. Security service specification v1.8 (March 2002)

    Google Scholar 

  10. Object Management Group. Corba specification (January 2008), http://www.omg.org/spec/CORBA/3.1/

  11. Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)

    Google Scholar 

  12. Johnson, R., et al.: Spring java application framework - reference documentation (2009)

    Google Scholar 

  13. Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M., Shrader, T.: Security challenges for enterprise java in an e-business environment. IBM Systems Journal 40(1), 130–152 (2001)

    Article  Google Scholar 

  14. Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Computer Communications 25(17), 1606–1621 (2002)

    Article  Google Scholar 

  15. Linn, J.: Rfc2743: Generic security service application program interface version 2, update 1. RFC Editor United States (2000)

    Google Scholar 

  16. Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Rfc2560: X. 509 internet public key infrastructure online certificate status protocol-ocsp (1999)

    Google Scholar 

  17. Nadalin, A., Kaler, C., Hallam-Baker, P., Monzillo, R., et al.: Web services security: Soap message security 1.0 (ws-security 2004). OASIS Standard, 200401 (2004)

    Google Scholar 

  18. Nenadic, A., Zhang, N., Barton, S.: Fides–a middleware e-commerce security solution. In: Proceedings of the 3rd European Conference on Information Warfare and Security, pp. 295–304 (2004)

    Google Scholar 

  19. Parkin, S., Ingham, D., Morgan, G.: A message oriented middleware solution enabling non-repudiation evidence generation for reliable web services. In: Malek, M., Reitenspieß, M., van Moorsel, A. (eds.) ISAS 2007. LNCS, vol. 4526, pp. 9–19. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  20. Singh, I., Johnson, M., Stearns, B.: Designing enterprise applications with the J2EE platform. Addison-Wesley Professional, Reading (2002)

    Google Scholar 

  21. Tribble, D.A.: The health insurance portability and accountability act: security and privacy requirements. American Journal of Health-System Pharmacy 58(9), 763 (2001)

    Google Scholar 

  22. Wichert, M., Ingham, D., Caughey, S.: Non-repudiation evidence generation for corba using xml (1999)

    Google Scholar 

  23. Zhou, J., Gollmann, D.: Evidence and non-repudiation. Journal of Network and Computer Applications (1997)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBBT-DistriNet, Katholieke Universiteit Leuven, 3001, Leuven, Belgium

    Philippe De Ryck, Lieven Desmet & Wouter Joosen

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Google Inc., 1288 Pear Ave, 94043, Mountain View, CA, USA

    Úlfar Erlingsson

  2. Computer Science Department, University of Twente, Drienerlolaan 5, 7522 NB, Enschede, The Netherlands

    Roel Wieringa

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612 AZ, Eindhoven, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

De Ryck, P., Desmet, L., Joosen, W. (2011). Middleware Support for Complex and Distributed Security Services in Multi-tier Web Applications. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19125-1_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19124-4

  • Online ISBN: 978-3-642-19125-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics