Skip to main content

Advertisement

Springer Nature Link
Log in

PBA4WSSP: a policy-based architecture for web services security processing

  • Special Issue Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

Due to the dynamic, heterogeneous and interorganizational nature, different web services and different ports or operations in the same service, even the same services at different times may have their different security requirements because of their different security domains and different business backgrounds. How to design a flexible, fine-grained and comprehensive architecture for web services security processing has become a matter of great urgency. However, no ideal solutions have been worked out for these problems. As a result of our study, we have presented in this paper a policy-based architecture termed policy-based architecture for web services security processing (PBA4WSSP) to meet the dynamic, complete and fine-grained security requirements. In PBA4WSSP, the processing of all security problems is based on security policy in service stage to support flexibly security configuration. Moreover, we have designed a service policy model to describe the fine-grained security requirements. And the conversion method between security policy model and security policy expression has also been described. In addition, a staged complete security processing architecture is provided to reduce the dependency among protocol implementations. Furthermore, with PBA4WSSP, a web service security module has been designed and implemented as well. Eventually, the performance evaluation results amply demonstrate that our system is flexible and usable.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Chen Y (2008) Web services composition with incomplete QoS information. In: Computer and information technology workshops, 2008. IEEE 8th international conference on CIT workshops 2008, pp 683–687

  2. Zhang J (2005) Trustworthy web services: actions for now. IT Prof 7(1):32–36

    Article  Google Scholar 

  3. Curbera F, Duftler MJ, Khalaf R, Nagy WA, Mukhi N, Weerawarana S (2007) Colombo: lightweight middleware for service oriented. In: Kommunikation in Verteilten Systemen (KiVS 2007), pp 371–382

  4. She W, Yen I-L, Thuraisingham B (2008) Enhancing security modeling for web services using delegation and pass-on. IEEE international conference on web services, pp 245–252

  5. Lindstrom P (2004) Attacking and defending web service. A spire research report

  6. Nurse JRC, Sinclair JE (2009) BOF4WSS: a business-oriented framework for enhancing web services security for e-business. Fourth international conference on internet and web applications and services

  7. Zhao W, Varadharajan V (2008) Trust management for web services. IEEE international conference on web services, pp 818–821

  8. Lin C, Varadharajan V, Wang Y, Pruthi V (2005) Trust enhanced security for mobile agents. IEEE international conference on e-commerce technology, pp 231–238

  9. Bertino E, Ferrari E, Squicciarini AC (2004) Trust-x: a peer-to-peer framework for trust establishment. IEEE Trans Knowl Data Eng 16(7):827–842

    Article  Google Scholar 

  10. Papazoglou M (2008) Web services: principles and technology. Addison-Wesley, Reading

    Google Scholar 

  11. Technical Committee ISO/TC 97, information processing systems—open systems interconnection—basic reference model—part 2: security architecture (ISO 7498–2-1989)

  12. OASIS (2006) Web Services Security: SOAP Message Security Version 1.1. http://docs.oasis-open.org/wss/v1.1/

  13. OASIS (2007) WS-Security Policy Version 1.2. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.2-spec-os.doc

  14. APACHE. Apache WSS4J API Overview [EB/OL]. http://ws.apache.org/wss4j/

  15. Apache Software Foundation. Axis2 Security Module[EB/OL]. 2009. http://axis.apache.org/axis2/java/rampart/

  16. Lee SM, Kwon OS, Lee JH et al (2003) Ty*SecureWS: an integrated web service security solution based on Java. Lect Notes Comput Sci 2738:186

    Article  Google Scholar 

  17. Wenjun Z (2010) Integrated security framework for secure web services. Third international symposium on intelligent information technology and security informatics

  18. Singhal A, Winograd T, Scarfone K (2007) Guide to secure web services (NIST SP 800–95), National Institute of Standards and Technology (NIST), technical report

  19. W3C. Web Services Policy Version 1.5 C Framework http://www.w3.org/TR/2007/REC-ws-policy-20070904

  20. W3C. Web Services Policy Version 1.5 C Attachment http://www.w3.org/TR/2007/REC-ws-policy-attach-20070904

  21. OASIS. Security Assertion Markup Language (SAML) Version 2.0 http://docs.oasis-open.org/security/saml/v2.0/

  22. MIT Kerberos Consortium. The MIT Kerberos administrator’s how-to guide http://www.kerberos.org/

  23. ITU Telecommunication Standardization Sector. Internet X.509 Public Key Infrastructure http://www.itu.int/rec/T-REC-X.509/en

  24. OASIS. WS-ReliableMessaging Version 1.1 http://www.oasis-open.org/committees/wsrm

  25. Tsai WT, Liu X, Chen Y (2005) Distributed policy specification and enforcement in service-oriented business systems. In: IEEE international conference on e-Business engineering (ICEBE), pp 10–17

  26. Bernhard H (2009) WS-Policy: on conditional and custom assertions. IEEE international conference on web services

  27. Li ZQ, Ma DF, Sun D, Liu J (2011) SEDA4SC: A staged event-driven architecture for adaptive service computing runtime. In: IEEE symposium on computers and communications (ISCC11)

  28. Eric Y, Tong J (2005) Attributed based access control (ABAC) for web services[A]. In: Proceedings of the IEEE international conference on web services (ICWS05)[C], pp 561–569

  29. OW2 Consortium, http://www.ow2.org/

  30. W3C. XML Key Management Specification (XKMS) Version 2.0 http://www.w3.org/TR/xkms2/

  31. Apache Axis. Available from: http://ws.apache.org/axis/

  32. Apache Axis2. Available from: http://ws.apache.org/axis2/

  33. Apache CXF. Available from: http://cxf.apache.org/

  34. Sun GlassFish. Available from: http://glassfish.java.net/

  35. Su J, Hu CM, Ge S et al (2004) Research and implementation of web service runtime platform. J Comput Res Dev 41(3):442250

    Google Scholar 

  36. Apache Neethi. Available from: http://ws.apache.org/neethi/

  37. Sidharth N, Liu J (2007) IAPF: a framework for enhancing web services security. In: 31st annual international computer software and applications conference

  38. Shahgholi N, Mohsenzadeh M (2011) A new security framework against web services XML attacks in SOA. In: 7th international conference on next generation web services practices

  39. Moradian E, Hakansson A (2006) Possible attacks on XML web services. Int J Comput Sci Netw Secur 6:154–170

    Google Scholar 

  40. Thales Company of France, http://www.thalesgroup.com

  41. OASIS (2005) WS-Trust Version 1.2. http://docs.oasis-open.org/ws-sx/ws-trust/v1.2/os/ws-trust-1.2-spec-os.doc

  42. OASIS (2006) WS-SecureConversation Version 1.2. http://docs.oasis-open.org/ws-sx/ws-secureconversation/v1.2/os/ws-secureconversation-1.2-spec-os.doc

Download references

Acknowledgments

This work was funded by French company Thales [40] (BaiMai Phase II fBPEL Project 2010), National Natural Science Foundation of China (No. 61003017) and Electronic Information Industry Development Foundation of China.

Author information

Authors and Affiliations

  1. Key Laboratory of Software Development Environment, School of Computer Science and Engineering, Beihang University, Beijing, China

    Hao Zeng, Dianfu Ma, Yongwang Zhao & Zhuqing Li

Authors
  1. Hao Zeng
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Dianfu Ma
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Yongwang Zhao
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Zhuqing Li
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Hao Zeng.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Zeng, H., Ma, D., Zhao, Y. et al. PBA4WSSP: a policy-based architecture for web services security processing. SOCA 8, 55–72 (2014). https://doi.org/10.1007/s11761-013-0143-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-013-0143-5

Keywords