Abstract
The Service-Oriented Architecture (SOA) makes application development flexible in such a way that services are composed in a highly distributed manner. However, because of the flexibility, it is often hard for users to define application configurations properly. Regarding the security concerns we address in this paper, though WS-SecurityPolicy provides a standard way to describe security policies, it is difficult for users to make sure that the defined policies are valid. In this paper, we discuss the validation of WS-SecurityPolicy in the context of Service Component Architecture, and propose a method called syntactic validation. Most enterprises have security guidelines, some of which can be described in the format of Web services security messages. There also exist standard profiles for Web services such as the WS-I Basic Security Profile that also prescribes message formats. Since those guidelines and profiles are based on accepted best practices, the syntactic validation is sufficiently effective for practical use to prevent security vulnerabilities.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
A CBDI Report Series – Guiding the Transition to Web Services and SOA, http://www.cbdiforum.com/bronze/downloads/ws_roadmap_guide.pdf
Devanbu, P., Stubblebine, D.: Software Engineering for Security: a Roadmap. In: ICSE 2000 (2000)
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)
SCA Service Component Architecture: Assembly Model Specification, Version 1.00, (March 15, 2007)
SCA Policy Framework: Version 1.00 (March 2007)
WS-SecurityPolicy v1.2, Committee Specification (April 30, 2007), http://www.oasis-open.org/committees/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf
Tatsubori, M., Imamura, T., Nakamura, Y.: Best Practice Patterns and Tool Support for Configuring Secure Web Services Messaging. In: ICWS 2004 (2004)
Nakamura, Y., Tatsubori, M., Imamura, T., Ono, K.: Model-Driven Security Based on a Web Services Security Architecture. In: International Conference on Service Computing (2005)
Unified Modeling Language, http://www.omg.org/technology/documents/formal/uml.htm
Web Services Security: SOAP Message Security 1.1
Basic Security Profile Version 1.0, Final Material (March 30, 2003)
W3C Candidate Recommendation “Web Services Policy 1.5 –Framework” (February 28, 2007), http://www.w3.org/TR/2007/CR-ws-policy-framework-20070228/
WS-Trust 1.3 OASIS Standard (March 19, 2007)
WS-SecureConversation 1.3 OASIS Standard (March 1, 2007)
Eastlake, D., Solo, J.R., Bartel, M., Boyer, J., Fox, B., Simon, E.: XML Signature Syntax and Processing, W3C Recommendation (February 12, 2002)
XML Encryption Syntax and Processing, W3C Recommendation (December 10, 2002)
Web Services Security, UsernameToken Profile 1.1
Web Services Security: X.509 Certificate Token Profile 1.1
Prolog:- tutorial, http://www.csupomona.edu/~jrfisher/www/prolog_tutorial/contents.html
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of UML2002 (2002)
Deubler, M., Grünbauer, J., Jürjens, J., Wimmel, G.: Sound Development of Secure Service-based Systems. In: ICSOC (2004)
McMillan, K.: Symbolic Model Checking. Kluwer Academic Publishers, Boston (1993)
Bhargavan, K., Fournet, C., Gordon, A.D.: Verifying policy-based security for web services. In: CCS 2004. Proceedings of the 11th ACM conference on Computer and communications security, pp. 268–277. ACM Press, New York (2004)
Web Services Security Policy Language (WS-SecurityPolicy) (December 18, 2002), http://www-106.ibm.com/developerworks/library/ws-secpol/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nakamura, Y., Sato, F., Chung, HV. (2007). Syntactic Validation of Web Services Security Policies. In: Krämer, B.J., Lin, KJ., Narasimhan, P. (eds) Service-Oriented Computing – ICSOC 2007. ICSOC 2007. Lecture Notes in Computer Science, vol 4749. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74974-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-540-74974-5_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74973-8
Online ISBN: 978-3-540-74974-5
eBook Packages: Computer ScienceComputer Science (R0)