Anthony Joseph Nadalin

Securing web services

The Web service security challenge is to understand and assess the risk involved in securing a Web-based service today, based on our existing security technology, and at the same time track emerging standards and understand how they will be used to offset the risk in new Web services. Any security model must illustrate how data can flow through an application and network topology to meet the requirements defined by the business without exposing the data to undue risk. In this paper we propose a mechanism for the client to provide authentication data, based on the service definition, and for the service provider to retrieve those data. We also show how XML Digital Signatures and encryption can be exploited to achieve a level of trust.HTTP, Web Server and Web Services share very complicated set of functionalities and exchanges of information. Each and every component plays very important role in the thousands of functions which any user can access and utilize over Internet. Hyper Text Transfer Protocol allows users to interact with Web Servers a nd hence they can access the information via the Internet. If any user requests data and files, Web servers serve them. Web Services allow cross -system, cross- language communication among various types of machines and enable inter -business transaction and communications. Although each technology works on its own and performs many useful functions, it is the combination of these technologies that has created the dynamic functionalities of the Web that are available today. This research paper will explore theinter-relationships between HTTP, Web Servers and Web Services technologies that have facilitated the functionalities and convenience of the Web. Web Services are very powerful tool that has greatly enhanced the efficiency and communication among business es. According to the World Wide Web Consortium (W3C), �a Web Service is a software system designed to support interoperable machine -to-machine interaction over a network. � According to Zeldman, Web Services are areusable software components based on XMLand related protocols that enable near zero ABSTRACT HTTP, Web Server and Web Services share very complicated set of functionalities and exchanges of information. Each and every component plays very important role in the thousands of functions which any user can access and utilize over Internet. Hyper Text Transfer Protocol allows users to interact with Web Servers a nd hence they can access the information via the Internet. If any user requests data and files, Web servers serve them. Web Services allow cross -system, cross- language communication among various types of machines and enable inter -business transaction and communications. Although each technology works on its own and performs many useful functions, it is the combination of these technologies that has created the dynamic functionalities of the Web that are available today. This research paper will explore theinter-relationships between HTTP, Web Servers and Web Services technologies that have facilitated the functionalities and convenience of the Web. Web Services are very powerful tool that has greatly enhanced the efficiency and communication among business es. According to the World Wide Web Consortium (W3C), �a Web Service is a software system designed to support interoperable machine -to-machine interaction over a network. � According to Zeldman, Web Services are areusable software components based on XMLand related protocols that enable near zero -cost interaction throughout the business ecosystem. � In other words, Web Services are the software system that allows servers and client computers to communicate with each other regardless of each individual mach ines environment (operating systems and programming ABSTRACT HTTP, Web Server and Web Services share very complicated set of functionalities and exchanges of information. Each and every component plays very important role in the thousands of functions which any user can access and utilize over Internet. Hyper Text Transfer Protocol allows users to interact with Web Servers a nd hence they can access the information via the Internet. If any user requests data and files, Web servers serve them. Web Services allow cross -system, cross- language communication among various types of machines and enable inter -business transaction and communications. Although each technology works on its own and performs many useful functions, it is the combination of these technologies that has created the dynamic functionalities of the Web that are available today. This research paper will explore theinter-relationships between HTTP, Web Servers and Web Services technologies that have facilitated the functionalities and convenience of the Web. Web Services are very powerful tool that has greatly enhanced the efficiency and communication among business es. According to the World Wide Web Consortium (W3C), �a Web Service is a software system designed to support interoperable machine -to-machine interaction over a network. � According to Zeldman, Web Services are areusable software components based on XMLand related protocols that enable near zero

User authentication and authorization in the Java/sup TM/ platform

Java/sup TM/ security technology originally focused on creating a safe environment in which to run potentially untrusted code downloaded from the public network. With the latest release of the Java/sup TM/ platform (the Java/sup TM/ 2 Software Development Kit, v 1.2), fine-grained access controls can be placed upon critical resources with regard to the identity of the running applets and applications, which are distinguished by where the code came from and who signed it. However, the Java platform still lacks the means to enforce access controls based on the identity of the user who runs the code. In this paper we describe the design and implementation of the Java/sup TM/ Authentication and Authorization Service (JAAS), a framework and programming interface that augments the Java/sup TM/ platform with both user-based authentication and access control capabilities.

Security challenges for enterprise Java in an e-business environment

As e-business matures, companies require enterprise-scalable functionality for their corporate Internet and intranet environments. To support the expansion of their computing boundaries, businesses have embraced Web application servers. These servers support servlets, JavaServer PagesTM, and Enterprise JavaBeansTM technologies, providing simplified development and flexible deployment of Web-based applications. However, securing this malleable model presents a challenge. Successful companies recognize that their security infrastructures need to address the e-business challenge. They are aware of the types of attacks that malevolent entities can launch against their servers and can plan appropriate defenses.

Business-driven application security: from modeling to managing secure applications

Business-driven development and management of secure applications and solutions is emerging as a key requirement in the realization of an on demand enterprise. In a given enterprise, individuals acting in various roles contribute to the modeling, development, deployment, and management of the security aspects of a business application. We look at the business-application life cycle and propose a policy-driven approach overlaid on a model-driven paradigm for addressing security requirements. Our approach suggests that security policies are to be modeled using policies and rule templates associated with business processes and models, designed and implemented through infrastructure-managed or application-managed environments based on modeled artifacts, deployed into an infrastructure and potentially customized to meet the security requirements of the consumer, and monitored and managed to reflect a consistent set of policies across the enterprise and all layers of its application infrastructure. We use a pragmatic approach to identify intersection points between the platform-independent modeling of security policies and their concrete articulation and enforcement. This approach offers a way to manage and monitor systems behavior for adherence and compliance to policies. Monitoring may be enabled through both information technology (IT) and business dashboards. Systematic approaches to connect business artifacts to implementation artifacts help implement business policies in system implementations. Best practices and security usage patterns influence the design of reusable and customizable templates. Because interoperability and portability are important in service-oriented architecture (SOA) environments, we list enhancements to standards (e.g., Business Process Execution Language [BPEL], Unified Modeling LanguageTM [UML®]) that must be addressed to achieve an effective life cycle.

Approach to object security in distributed SOM

We briefly review the IBM System Object Model (SOM, incorporated in SOMobjects™) and Distributed SOM (DSOM). We then describe the base DSOM security architecture characterized by the presence of the Object Security Service (OSS) framework in the DSOM run-time environment. Depending on its implementation, this framework can be wrapped around procedural security service providers, thus taking advantage of existing security mechanisms. Subsequently we elaborate on the OSS elements for authentication and authorization and how they relate to the DSOM Object Request Broker (ORB™) on the one hand, and to the client and server applications on the other hand. We discuss the DSOM approach to object access control and present a novel method for enforcing it.

Use of DSOM before/after metaclass for enabling object access control

We review the IBMs System Object Model (SOM) and Distributed SOM (DSOM). Then, we introduce DSOMs approach to object access control and contrast it with traditional procedural systems. Subsequently, we elaborate on the problem addressed in this paper that seeks to enable the process of object access control within DSOM kernel transparently from application developers. We discuss different approaches to solving the problem and present the adopted method. We provide implementation details of the solution and conclude with remarks on future improvement.

Securing service-oriented applications

Securing applications in a service-oriented architecture is challenging, because the loose coupling that characterizes a SOA can also expose existing security implementations’ brittleness. Our solution includes well-defined trust models based on acceptable forms of proof, as well as reliance on policies, Web Services security, and security engineering best practices.