Security for Web Services and Service-Oriented Architectures
Format: PDF / Kindle (mobi) / ePub
Web services technologies are advancing fast and being extensively deployed in many di?erent application environments. Web services based on the eXt- sible Markup Language (XML), the Simple Object Access Protocol (SOAP), andrelatedstandards,anddeployedinService-OrientedArchitectures(SOAs) are the key to Web-based interoperability for applications within and across organizations. Furthermore, they are making it possible to deploy appli- tions that can be directly used by people, and thus making the Web a rich and powerful social interaction medium. The term Web 2.0 has been coined to embrace all those new collaborative applications and to indicate a new, “social” approach to generating and distributing Web content, characterized by open communication, decentralization of authority, and freedom to share and reuse. For Web services technologies to hold their promise, it is crucial that - curity of services and their interactions with users be assured. Con?dentiality, integrity,availability,anddigitalidentitymanagementareallrequired.People need to be assured that their interactions with services over the Web are kept con?dential and the privacy of their personal information is preserved. People need to be sure that information they use for looking up and selecting s- vicesiscorrectanditsintegrityisassured.Peoplewantservicestobeavailable when needed. They also require interactions to be convenient and person- ized, in addition to being private. Addressing these requirements, especially when dealing with open distributed applications, is a formidable challenge.
conﬁgurations which are becoming quite complex to manage. Conﬁguration errors can be further classiﬁed in: • Unnecessary (or dangerous) services. Since it is usually easier to install a software component with its default conﬁguration, systems are often conﬁgured to bring up services and allow connections that are not strictly required. • Access control misconﬁguration. Complex systems might have elaborate access control policies based on groups and/or roles and per- 28 3 Web Services Threats,
services, such as social networking sites and wikis, which support collaboration and sharing between users. The term Web 2.0 has been coined to embrace all those new new collaborative applications and also to indicate a new “social” approach to generating and distributing Web content, characterized by open communication, decentralization of authority, and freedom to share and reuse. Web service technology is thus emerging as the technology making the Web the “place” where the majority of human
approaches do not provide information about the veriﬁcation of the identity data of the individuals enrolled and stored at the IdPs. If an IdP has such information, then the SPs are in a position to make a more accurate judgment concerning the trustworthiness of such identity information. The second major drawback is that no speciﬁc techniques are provided to protect against the misuse of identity attributes stored at the IdPs and SPs. Even the notion of misuse of such attributes has not been
should disclose only the identity attributes that are actually required for the transactions at hand. One approach to achieve such a level of ﬂexibility and ﬁne-grained access in identity management systems is to enhance IdM technology with automated trust negotiation (ATN) techniques [38, 238]. Trust negotiation is an access control approach for establishing trust in open systems like the Internet. The idea of trust negotiation is to establish trust on-line between (generally) two negotiating
change. In order to survive and prosper in the coming years, these organizations will need to develop a capability to sustain a state of change and evolution. The ability of an organizations IT systems to cope with this level of change will be a signiﬁcant factor in the organizations success in adapting to this increasingly dynamic business environment. Organizations are addressing this by adopting service-oriented architecture (SOA) principles. Service orientation (and SOA in general) is