Middleware Support for Complex and Distributed Security Services in Multi-tier Web Applications

  • Philippe De Ryck
  • Lieven Desmet
  • Wouter Joosen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)


The security requirements of complex multi-tier web applications have shifted from simple localized needs, such as authentication or authorization, to physically distributed but actually aggregated services, such as end-to-end data protection, non-repudiation or patient consent management. Currently, there is no support for integrating complex security services in web architectures, nor are approaches from other architectural models easily portable. In this paper we present the architecture of a security middleware, aimed at providing a reusable solution bringing support for complex security requirements into the application architecture, while addressing typical web architecture challenges, such as the tiered model or the lack of sophisticated client-side logic. We both evaluate the security of the middleware and present a case study and prototype implementation, which show how the complexities of a web architecture can be dealt with while limiting the integration effort.


middleware multi-tier architecture security web application non-repudiation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agreiter, B., Hafner, M., Breu, R.: A fair non-repudiation service in a web services peer-to-peer environment. Computer Standards & Interfaces 30(6), 372–378 (2008)CrossRefGoogle Scholar
  2. 2.
    Alireza, A., Lang, U., Padelis, M., Schreiner, R., Schumacher, M.: The challenges of corba security, pp. 61–72 (2000)Google Scholar
  3. 3.
    Anderson, J.P.: Computer security technology planning study volume ii. Technical report, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bredford, MA (October 1972)Google Scholar
  4. 4.
    Ball, J., Carson, D.B., Evans, I., Haase, K., Jendrock, E.: The java ee 5 tutorial. Sun Microsystems, Santa Clara (2006)Google Scholar
  5. 5.
    Cook, N.: Middleware Support for Non-repudiable Business-to-Business Interactions. PhD thesis, School of Computing Science, Newcastle University (2006)Google Scholar
  6. 6.
    Debie, E., De Ryck, P.: Non-repudiation middleware for web-based architectures. MSc thesis, Katholieke Universiteit Leuven (2009)Google Scholar
  7. 7.
    DeMichiel, L., Keith, M.: Enterprise javabeans, version 3.0. Sun Microsystems (2006)Google Scholar
  8. 8.
    Erlingsson, U., Schneider, F.: Irm enforcement of java stack inspection. In: IEEE Symposium on Security and Privacy, pp. 246–255 (2000)Google Scholar
  9. 9.
    Object Management Group. Security service specification v1.8 (March 2002)Google Scholar
  10. 10.
    Object Management Group. Corba specification (January 2008),
  11. 11.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
  12. 12.
    Johnson, R., et al.: Spring java application framework - reference documentation (2009)Google Scholar
  13. 13.
    Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M., Shrader, T.: Security challenges for enterprise java in an e-business environment. IBM Systems Journal 40(1), 130–152 (2001)CrossRefGoogle Scholar
  14. 14.
    Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Computer Communications 25(17), 1606–1621 (2002)CrossRefGoogle Scholar
  15. 15.
    Linn, J.: Rfc2743: Generic security service application program interface version 2, update 1. RFC Editor United States (2000)Google Scholar
  16. 16.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Rfc2560: X. 509 internet public key infrastructure online certificate status protocol-ocsp (1999)Google Scholar
  17. 17.
    Nadalin, A., Kaler, C., Hallam-Baker, P., Monzillo, R., et al.: Web services security: Soap message security 1.0 (ws-security 2004). OASIS Standard, 200401 (2004)Google Scholar
  18. 18.
    Nenadic, A., Zhang, N., Barton, S.: Fides–a middleware e-commerce security solution. In: Proceedings of the 3rd European Conference on Information Warfare and Security, pp. 295–304 (2004)Google Scholar
  19. 19.
    Parkin, S., Ingham, D., Morgan, G.: A message oriented middleware solution enabling non-repudiation evidence generation for reliable web services. In: Malek, M., Reitenspieß, M., van Moorsel, A. (eds.) ISAS 2007. LNCS, vol. 4526, pp. 9–19. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Singh, I., Johnson, M., Stearns, B.: Designing enterprise applications with the J2EE platform. Addison-Wesley Professional, Reading (2002)Google Scholar
  21. 21.
    Tribble, D.A.: The health insurance portability and accountability act: security and privacy requirements. American Journal of Health-System Pharmacy 58(9), 763 (2001)Google Scholar
  22. 22.
    Wichert, M., Ingham, D., Caughey, S.: Non-repudiation evidence generation for corba using xml (1999)Google Scholar
  23. 23.
    Zhou, J., Gollmann, D.: Evidence and non-repudiation. Journal of Network and Computer Applications (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Philippe De Ryck
    • 1
  • Lieven Desmet
    • 1
  • Wouter Joosen
    • 1
  1. 1.IBBT-DistriNetKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations