Seamlessly Securing Web Services Using Policies
                            Mifla Mashood, Gihan Wikramanayake
Upcoming SlideShare
Loading in …5

Seamlessly Securing Web Services Using Policies


Published on

Mifla Mashood, G N Wikramanayake (2006) "Seamlessly Securing Web Services Using Policies" In:8th International Information Technology Conference on Innovations for a Knowledge Economy, pp. 244. Infotel Lanka Society, Colombo, Sri Lanka: IITC Oct 12-13

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Seamlessly Securing Web Services Using Policies

  1. 1. Seamlessly Securing Web Services Using Policies Mifla Mashood, Gihan Wikramanayake University of Colombo School of Computing, 1. Introduction integrity of the transmitted data. Based on this, the receiver is able to grant authorization to the As Web Services begin to dominate the market system’s access. Thus any message level security of distributed computing, securing the pipelines solution for web services would involve the from intruders is becoming a mission, which modification and the apposite interpretation of cannot be considered as trivial anymore. In the SOAP messages. In the solution proposed today’s highly competitive world, businesses herein the SOAP payload is modified and adopt web services due to its very attractive interpreted by the use of policy files. features like platform independency, In order to successfully integrate with a policy unprecedented support from major vendors, based web service, one must fully understand the ability of seamlessly interfacing with legacy service's XML contract (also referred to as systems, use of standardized protocols (SOAP, policies). A standard policy framework such as XML, UDDI, WSDL etc…) etc…As a result WS-Policy, which forms an integral part of the they unsuspectingly expose themselves into a solution proposed herein would make it possible zone filled with security loop holes which can for developers to express the policies of services pose a great threat to confidential data which in a machine-readable way, enforce them and might be travelling through the channels using interpret them. For example, a developer could these services. write a policy stating that a given service requires Kerberos tokens, digital signatures and This paper intends to propose a comprehensive encryption and others could use the policy security solution for securing web services information to decide whether they can use the through the use of policies, which can be easily service. Plus, the infrastructure could enforce incorporated into the existing infrastructures these requirements without requiring the with minimum cost and effort on the part of the developer to write a single line of code offering developers and businesses. developers a more declarative programming model. 2. Problem definition WS-Policy provides a flexible and extensible In this era of IT where SSL is considered as a grammar for expressing policies in a machine- pioneer in securing communication lines against readable XML format. The XML representation encroachments of many kinds, the most obvious of a policy is referred to as a policy expression. question anyone would pose is, why not use SSL A policy expression is bound to a policy subject to secure web services? Although it might seem (e.g., a Web service endpoint). WSE 3.0 by as a valid argument at the onset, SSL used alone, Microsoft has been one of the most effective and does not provide a comprehensive security widely adopted practical implementation of all solution for web services. Thus, various XML- these specifications based security initiatives are in the works to address Web services' unique security needs. 4. Conclusions and Future Work 3. A solution using policies Although the proposed solution seem to be ideal in seamlessly integrating security into the SOAP, the lightweight XML-based protocol of existing web service infrastructures it could web services does not come with any security prove to be a burden on part of the applications, features. Taking XML’s co-standards encrypting which might require slight alterations in order to and digitally signing into account, arbitrary incorporate these changes. Thus future work can SOAP calls could be secured with respect to be channelled through lines where even the privacy, authentication, non-repudiation, and applications would be able to transit seamlessly to use these policy files. 244