Securing Web Services: Practical Usage of Standards and Specifications

Lan Anh Tran (Victoria University of Wellington, New Zealand)

Library Hi Tech

ISSN: 0737-8831

Article publication date: 13 June 2008




Anh Tran, L. (2008), "Securing Web Services: Practical Usage of Standards and Specifications", Library Hi Tech, Vol. 26 No. 2, pp. 321-323.



Emerald Group Publishing Limited

Copyright © 2008, Emerald Group Publishing Limited

During the last five years, along with the development of basic web security standards, there has been a good deal of research on the uses and applications of basic security technologies, as well as on their benefits and obstacles. This book consists of a collection of selected research papers on such security technologies for current web services (WS). In addition it contains critical experience reports on implementing WS security mechanisms. Most topics cover security aspects of SOAP‐based web services (Simple Object Access Protocol). The central core of SOAP security is defined as a collection of WS specifications (such as WS‐Trust and WS‐SecureConversation).

The chapters are organised according to important aspects of web security standards such as: architecture, authority, interactions, security, development and enhancement of WS.

Regarding the architectural aspect, Fox et al. introduce an inclusive development of web Service‐Oriented Architectures (SOAs) and specifications (Chapter 2). Related to this work, Padmanabhuni and Adarkar describe the different facets of security that apply to the implementation of SOA (Chapter 1); and Carminati, Ferrari and Hung discuss security issues and architectural requirements that arise when composing web services (Chapter 3).

In terms of the authority aspect, Chadwick defines the Delegation of Authority (DOA) as an essential procedure in every business. Specifically, the authors enumerate the requirements of DOA and develop various models and architectures that can support DOA web services (Chapter 5). Furthermore, Bhatti et al. examine a policy‐based authorisation framework to use access control in web services and to support WS‐policy specifications. Such a framework allows separate policies to be associated with multiple components of WS description, and to be associated with the architecture of the web services environment (Chapter 6).

Moving to the next aspect, Cook, Robinson and Shrivastava discuss the problem of making high‐value Business‐to‐Business (B2B) interactions “nonrepudiable”, where “nonrepudiation” is defined as the property that any party to an interaction must be involved in (Chapter 4). In addition to this aspect, the authors investigate the design and implementation of a novel web services‐based middleware that leverages existing web service standards.

Another aspect, security and privacy, is considered to be one of the most important elements of web services, because this aspect makes business secure and privacy protected and ensures easier access to services. Namli and Dogac (Chapter 8) discuss the two recent web service standards:

  1. 1.

    SAML is an XML‐based framework for managing user authentication;

  2. 2.

    XACML is the complementary standard for making access control decisions.

Additionally, Beznosov (Chapter 9) reports on designing and implementing a flexible and extensible protection architecture for protecting enterprise‐grade web service applications hosted by ASP.NET. In a broader view, Clemente et al. focus on security policy. These authors describe policies enriched by semantics in terms of security management, and also offer an evaluation of the ongoing efforts that use semantic web languages for presenting policies among distributed systems (Chapter 7).

In association with all previous aspects, the development and enhancement of secured web services are presented in the Chapters 10‐12 and 14. Kaliontzoglou, Karantjias and Polemi (Chapter 10) study three innovative e‐government services based on a common and systematic approach to security and interoperable aspects, service specifications and use cases. Related to this study, but in a different area, Akram et al. (Chapter 11) report on a case study based on the distributed market. They describe the requirements of a dynamic business process (called “Business Process Grid”) within an organisation or enterprise, and different use cases in various contexts. From the technological perspective Naseer and Stergioulas present a further study on combining web services and grid services (Chapter 12). They examine the possible approaches to integrating the web and grid services. Finally, Platzer, Rosenberg and Dustdar explore various methods for enhancing web service discovery and monitoring with quality of services information (Chapter 14). They focus on various ways of describing, bootstrapping and evaluating quality of service attributes during web service implementation.

This book is an excellent demonstration of recent research and studies on a variety of topics associated with web service security. It provides students, practitioners and researchers with an essential resource on WS security models that focuses on developing, designing, integrating and using security technologies to enable a variety of systems and networks to operate securely.

Related articles