Study on Web Service Security

We studied the newly standardized security technologies for Web Services, SAML (Security Assertion Markup Language), which is for authentication, and XACML (XML Access Control Markup Language), which is for access control. We applied these technologies in an experimental system and confirmed that these technologies, combined together, can realize secure Web Services

XML-based Web Services Technology to Implement a Prototype Command and Control System

A command and control system is a complex system of systems. For its ability to improvethe command and control efficiency and multiply operational capability, command and controlsystem investment is always a benchmark for military modernisation. However, most commandand control systems were independently developed, validated and approved as a stand-alonesolution to reflect service requirement rather than joint focused. These stovepipe systems notonly have an adverse impact on joint or coalition operation, but also are fairly difficult to integrateand interoperate effectively with other systems. To solve these problems, the study appliesXML standard to redefine the structured radar track and global positioning system (GPS)positioning data formats. Radar tracking data and GPS positioning data generator wereimplemented to simulate air and land targets. In addition, the static intelligence databases, suchas order of battle, were built for information exchange with other systems. Sensors, GPS, andintelligence web services, including simple object access protocol (SOAP) and web servicedefinition language (WSDL) are constructed to provide near-real-time static intelligence anddynamic track services. All relevant command and control centres may subscribe the necessaryservices from the service providers to work together with their own systems for mission needs.The implementation of result demonstrates XML-based web services technology and makescommand and control system integration easy, flexible, and cost effective

A Logic-Based Framework for Web Access Control Policies

With the widespread use of web services, there is a need for adequate security and privacy support to protect the sensitive information these services could provide. As a result, there has been a great interest in access control policy languages which accommodate large, open, distributed and heterogeneous environments like the Web. XACML has emerged as a popular access control language, but because of its rich expressiveness and informal semantics, it suffers from a) a lack of understanding of its formal properties, and b) a lack of automated, compile-time services that can detect errors in expressive, distributed and heterogeneous policies. In this dissertation, I present a logic-based framework for XACML that addresses the above issues. One component of the framework is a Datalog-based mapping for XACML v3.0 that provides a theoretical foundation for the language, namely: a concise logic-based semantics and complexity results for full XACML and various fragments. Additionally, my mapping discovers close relationships between XACML and other logic based languages such as the Flexible Authorization Framework. The second component of this framework provides a practical foundation for static analysis of expressive XACML policies. The analysis services detect semantic errors or differences between policies before they are deployed. To provide these services, I present a mapping from XACML to the Web Ontology Language (OWL), which is the standardized language for representing the semantics of information on the Web. In particular, I focus on the OWL-DL sub-language, which is a logic-based fragment of OWL. Finally, to demonstrate the practicality of using OWL-DL reasoners as policy analyzers, I have implemented an OWL-based XACML analyzer and performed extensive empirical evaluation using both real world and synthetic policy sets

Earth Science Mining Web Services

To allow scientists further capabilities in the area of data mining and web services, the Goddard Earth Sciences Data and Information Services Center (GES DISC) and researchers at the University of Alabama in Huntsville (UAH) have developed a system to mine data at the source without the need of network transfers. The system has been constructed by linking together several pre-existing technologies: the Simple Scalable Script-based Science Processor for Measurements (S4PM), a processing engine at he GES DISC; the Algorithm Development and Mining (ADaM) system, a data mining toolkit from UAH that can be configured in a variety of ways to create customized mining processes; ActiveBPEL, a workflow execution engine based on BPEL (Business Process Execution Language); XBaya, a graphical workflow composer; and the EOS Clearinghouse (ECHO). XBaya is used to construct an analysis workflow at UAH using ADam components, which are also installed remotely at the GES DISC, wrapped as Web Services. The S4PM processing engine searches ECHO for data using space-time criteria, staging them to cache, allowing the ActiveBPEL engine to remotely orchestras the processing workflow within S4PM. As mining is completed, the output is placed in an FTP holding area for the end user. The goals are to give users control over the data they want to process, while mining data at the data source using the server's resources rather than transferring the full volume over the internet. These diverse technologies have been infused into a functioning, distributed system with only minor changes to the underlying technologies. The key to the infusion is the loosely coupled, Web-Services based architecture: All of the participating components are accessible (one way or another) through (Simple Object Access Protocol) SOAP-based Web Services

A SOAP Web Services-Based Architecture for Floor Control in Multimedia Conferencing

Multimedia conferencing applications are an important and widely-used category of Web applications. Floor control is a significant and advanced feature of multimedia conferencing applications. Floor control mechanisms, when introduced in audio/video conferencing, control the media streams such as identifying which participant is allowed to send and who can be seen or heard. This prevents conflict and ensures an optimized use of resources between the conference participants. Floor control is composed of three logical entities: a single floor control server (i.e. entity responsible for managing the floors and their status), one or more floor chairs (moderators), and any number of regular conference participants. This thesis proposes a SOAP Web services based architecture for floor control in multimedia conferencing. Web services are designed to support interoperable machine-to-machine interaction over a network. They are attractive because of their flexibility. There are two types of web services: SOAP Web services and RESTful Web services. In SOAP Web services, interactions between the entities are based on XML and use SOAP, which is embedded in HTTP. RESTful web services are an architectural design style that rely on HTTP, but do not use SOAP. XML is also optional. We propose a set of floor control requirements and use them to review the related work and pinpoint the weaknesses. The proposed architecture includes the main components of floor control. It also includes a comprehensive set of server-side and client-side SOAP web service APIs that expose the floor control capabilities to application developers. The proposed APIs are programming language-independent and provide a higher level of abstraction to the application developers, which enables the interoperability. Furthermore, in the proposed architecture the floor control clients do not interact directly with the floor control server (FCS) but through a gateway accessible using SOAP web services. This opens up the possibility to use different floor control protocols transparently to the floor control clients. Application portability is no longer a problem because floor clients access the floor capabilities independently of the protocol supported by the FCS. We have built a conferencing application with floor control as a proof of concept to demonstrate the new interface for floor control and the feasibility of the proposed architecture. In addition, performance measurements have also been made to evaluate the viability of the architecture

On the performance of access control policy evaluation

There is growing awareness of the need to protect digital resources and services in both corporate and home ICT scenarios. Meanwhile, communication tools tailored for corporations are blurring the line between communication mech- anisms and (near) real-time resource sharing. The resulting requirement for near real-time policy-based access control is technically challenging. In a corporate domain, such access control mechanisms must be unobtrusive and comply with strict security objectives. Thus policy evaluation performance needs to be considered while addressing traditional security concerns. This paper discusses policy system design principles that motivate a novel Policy Decision Point (PDP) implementation and associated policy language. These principles are consistent with recent web development techniques designed to improve performance and scalability. Given a modern web development stack comprising a language (Javascript), a framework (Node.js) and a database management system (Redis), the proposition is that significant performance gains can be made. Our performance experiments suggest this is the case when, through various design iterations, our prototype PDP implementation is compared with an estab- lished, Java/XACML-based access control PDP implementation. The experiments presented in this paper suggest that newer technologies offer better performance. The analysis suggests that this is because they offer a more efficient data representation and make better use of computing resources

Implementação de um Service Broker

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2010A implementação de um Service Broker surgiu no contexto da criação de uma nova Framework de desenvolvimento modular por parte da empresa onde este projecto foi realizado, a AMBISIG (Ambiente e Sistemas de Informação Geográfica, S.A.). Esta nova Framework tem o intuito de permitir a criação de soluções e aplicações que correspondam às necessidades do mercado global. Com este Service Broker pretende-se criar uma separação entre a camada lógica de negócio e a camada de apresentação, de forma a garantir acessos controlados aos serviços já existentes. De uma forma geral este componente permite implementar uma camada de controlo de acesso sobre web services registados; permite expôr assemblies de biblioteca como web services através da geração personalizada de um WSDL (Web Service Description Language) para cada assembly, identificando as operações possíveis de executar recorrendo à técnica de reflexão (reflection), sendo posteriormente adicionada a mesma camada de controlo de acesso disponível para os web services; e, recorrendo a um portal de acesso acessível tanto a administradores como a utilizadores normais, permite que um administrador possa gerir os serviços disponibilizados pelo Service Broker, permite a configuração de permissões de invocação ao nível do serviço e/ou operações do mesmo e garante a possibilidade de monitorização de todos os pedidos realizados e registados pelo Service Broker; um utilizador normal pode consultar os serviços a que tem acesso e testar as suas funcionalidades. Durante a realização deste projecto muitos conceitos foram testados e colocados à prova. A solução obtida embora limitada em alguns aspectos, apresenta-se funcional e com registos de desempenho satisfatórios tendo em conta os vários conceitos exploratórios em que se baseou.The implementation of a Service Broker arose in the context of creating a new framework for modular development of the firm where this project was conducted, AMBISIG (Environment and Geographic Information Systems, SA). This new framework aims to enable the creation of applications and solutions that meet global market needs. This Service Broker intends to create a separation between business logic layer and presentation layer, so as to ensure controlled access to existing services. In general this component allows to implement an access control layer in registered web services; library assemblies can be exposed as web services by generating a custom WSDL (Web Service Description Language) for each assembly, identifying possible operations using the reflection technique, and subsequently the same access control layer available for web services is added, and, using a portal accessible to both administrators and ordinary users, it allows an administrator to manage the services provided by the Service Broker, it allows the configuration of permissions for invoking the service and/or its operations and guarantees the possibility of tracking all requests made and recorded by the Service Broker, a normal user can check the services with as access to and he can test its functionalities. During this project, many concepts have been tested and implemented in the prototype. The resulting solution while limited in some areas is functional and its performance is satisfactory considering the various exploratory concepts on which it relied