Utilizing architecture models for secure distributed web applications and services

Abstract

Today's Web applications are often compositions of distributed yet interconnected services that offer features and data through defined interfaces via standardized protocols. Providing a set of best practices for organizing and utilizing distributed capabilities, the service-oriented architecture design pattern largely contributed to this trend. To react on emerging customer requirements, using agile methodology for Web application development fits well in this context. While it allows promptly responding to change by adjusting the Web application architecture, security must be applied as a holistic approach throughout the entire Web application's lifecycle. There is a need for a flexible, expressive and easy-to-use way to model a Web application's architecture with a strong emphasis on security. This article discusses our work on extending the WebComposition Architecture Model towards a semantically enriched description of a Web application's architecture. For enabling systematic exploitation of such architecture descriptions, we utilize W3C's WebID identity mechanism, the WAC authorization method, and fine-grained filters. We explain how WebID can be applied to allow Web services to mutually authenticate and exchange data, e. g., interface definitions and service parameters, in a controlled way.