Analysis of Windows Cardspace Identity Management System

The Internet, which was originally developed for academic purposes, has expanded and been applied to commercial and business enterprises. It is possible to purchase airline tickets, check bank balances and communicate through e-mail with each other through the Internet. These services can all be performed relatively easily with the proliferation of Internet Service Providers and the lower cost of Personal Computers. The development of the Internet has also had a huge impact on businesses with the growth of e-commerce, e-banking and the tremendous growth in email traffic. There is however a negative impact to this development of the Internet with the rise in on-line criminal activity. The increasing use of the Internet has resulted in the development of on-line identities for users. There can be a great deal of sensitive and personal information associated with an on-line identity and gaining access to these privileges can provide cyber criminals with access to personal resources such as bank account details, credit card information etc. This type of activity has given rise to the term identity theft . This project will present an introduction to Microsoft Cardspace and how it relates to dealing with identity theft, the theory behind the application and present practical demonstrations of how the technology can be implemented using Microsoft© .NET framework technology

Integration and Test of MOF/UML-based Domain-specific Modeling Languages

In model-driven development (MDD), domain-specific modeling languages (DSMLs) are used as tailor-made software languages targeting dedicated application domains. Due to the narrow domain coverage of DSMLs, demands to integrate their individual functionality into a consolidated DSML arise (e.g., developing a software product combining two or more pre-existing DSMLs). However, in order to realize the benefits of integrated DSMLs, it must be ensured that the integrated DSML is correctly implemented and behaves as specified. To support the integration and the test of DSMLs, this thesis presents an approach targeting the Meta Object Facility (MOF) and the Unified Modeling Language (UML)- a metamodeling infrastructure frequently employed for the MDD of software systems. The integration of DSMLs is based on a rewriting technique for model-to-text (M2T) transformations. This method allows for the reuse as well as for the automatic refactoring of M2T transformation templates to fix important syntactical mismatches between templates and the integrated DSML. To test an integrated DSML, scenarios are used to define domain requirements on an abstract level (via structured text descriptions). In a subsequent step, executable scenario tests are derived from the requirements-level scenarios. These executable scenario specifications are then employed to test the integrated DSML for compliance with corresponding domain requirements. Empirical evaluations of the approach (case studies, controlled experiment) demonstrate its successful application, collect evidence for its usefulness, and quantify its benefits. The integrated proof-of-concept implementations build on the Eclipse Modeling Framework (EMF), making use of and extending well-known Eclipse-based projects. All accompanying developments are placed into the public domain as free/libre open source software. Within the framework of this thesis, research results were originally published as individual contributions (workshop, conference, and journal articles). All research contributions are results of applying a design science research approach. (author's abstract

Analyzing the Interoperability of WS-Security and WS-ReliableMessaging Implementations

Since their invention as lightweight integration technology about a decade ago, Web Services have matured significantly. Today, major middleware solution vendors as well as industry communities like RosettaNet are propagating Web services even for exchanging business-critical data and implementing inter-organizational business processes. Core enablers for using Web services in this domain are stateful interactions using the Web Services Business Process Execution Language (WS-BPEL) as well as advanced communication features like security and reliability using the WS-Security and WS-ReliableMessaging standard specifications. However, advanced communication features come at the price of complexity which challenges interoperability across different Web services stack implementations. Interoperability, in turn, is a predominant requirement for an integration technology such as Web services, in particular if inter-organizational business processes are supposed to be implemented on top of that technology. This paper approaches the problem of testing the interoperability of the so-called WS-* standards, advanced Web services communication features that are typically defined as SOAP extensions and configured using WS-Policy. Being essential to business process integration, WS-Security and WS-ReliableMessaging are selected as representatives of this group and the two major Java-based Web services stack implementations Metro and Axis2 are tested for interoperability. We operationalize the notion of interoperability for testing WS-* standards, suppose an approach for deriving test cases from WS-* specifications as well as a method for performing the test cases, and we provide a comprehensive interoperability review of the two selected Web services stack implementations

Non-functional properties in the model-driven development of service-oriented systems

Systems based on the service-oriented architecture (SOA) principles have become an important cornerstone of the development of enterprise-scale software applications. They are characterized by separating functions into distinct software units, called services, which can be published, requested and dynamically combined in the production of business applications. Service-oriented systems (SOSs) promise high flexibility, improved maintainability, and simple re-use of functionality. Achieving these properties requires an understanding not only of the individual artifacts of the system but also their integration. In this context, non-functional aspects play an important role and should be analyzed and modeled as early as possible in the development cycle. In this paper, we discuss modeling of non-functional aspects of service-oriented systems, and the use of these models for analysis and deployment. Our contribution in this paper is threefold. First, we show how services and service compositions may be modeled in UML by using a profile for SOA (UML4SOA) and how non-functional properties of service-oriented systems can be represented using the non-functional extension of UML4SOA (UML4SOA-NFP) and the MARTE profile. This enables modeling of performance, security and reliable messaging. Second, we discuss formal analysis of models which respect this design, in particular we consider performance estimates and reliability analysis using the stochastically timed process algebra PEPA as the underlying analytical engine. Last but not least, our models are the source for the application of deployment mechanisms which comprise model-to-model and model-to-text transformations implemented in the framework VIATRA. All techniques presented in this work are illustrated by a running example from an eUniversity case study

Security Mechanisms for Workflows in Service-Oriented Architectures

Die Arbeit untersucht, wie sich Unterstützung für Sicherheit und Identitätsmanagement in ein Workflow-Management-System integrieren lässt. Basierend auf einer Anforderungsanalyse anhand eines Beispiels aus der beruflichen Weiterbildung und einem Abgleich mit dem Stand der Technik wird eine Architektur für die sichere Ausführung von Workflows und die Integration mit Identitätsmanagement-Systemen entwickelt, die neue Anwendungen mit verbesserter Sicherheit und Privatsphäre ermöglicht

Trust negotiation policy management for service-oriented applications

Service-oriented architectures (SOA), and in particular Web services, have quickly become a popular technology to connect applications both within and across enterprise boundaries. However, as services are increasingly used to implement critical functionality, security has become an important concern impeding the widespread adoption of SOA. Trust negotiation is an approach to access control that may be applied in scenarios where service requesters are often unknown in advance, such as for services available via the public Internet. Rather than relying on requesters' identities, trust negotiation makes access decisions based on the level of trust established between the requester and the provider in a negotiation, during which the parties exchange credentials, which are signed assertions that describe some attributes of the owner. However, managing the evolution of trust negotiation policies is a difficult problem that has not been sufficiently addressed to date. Access control policies have a lifecycle, and they are revised based on applicable business policies. Additionally, because a trust relationship established in a trust negotiation may be long lasting, their evolution must also be managed. Simply allowing a negotiation to continue according to an old policy may be undesirable, especially if new important constraints have been added. In this thesis, we introduce a model-driven trust negotiation framework for service-oriented applications. The framework employs a model for trust negotiation, based on state machines, that allows automated generation of the control structures necessary to enforce trust negotiation policies from the visual model of the policy. Our policy model also supports lifecycle management. We provide sets of operations to modify policies and to manage ongoing negotiations, and operators for identifying and managing impacts of changes to trust negotiation policies on ongoing trust negotiations. The framework presented in the thesis has been implemented in the Trust-Serv prototype, which leverages industry specifications such as WS-Security and WS-Trust to offer a container-centric mechanism for deploying trust negotiation that is transparent to the services being protected

Model Driven Service Description and Discovery Framework for Carrier Applications

The most dominant architecture in the contemporary business domain is Service Oriented Architecture (SOA). The large number of the existing service description and discovery systems available today, including the ones proposed in research proposals, reveals an increasing need for adaptive, semantically enriched and context-aware, wide-area service discovery. This need will become more intense in the years to come as the number of available services increases rapidly. The main reason behind the existence of a plethora of such systems is that before these initiatives, the standard in service discovery was taking into account only the syntactic descriptions of the services, causing conflicts when services, with similar syntactic descriptions, needed to be evaluated. The research solutions available today offer efficient and accurate discovery at the syntactic, functional semantic and non-functional semantic level. However, the problem is that there is no general consensus yet regarding service discovery. Research by its very nature, leads to point solutions rather than complete systems. Based on these observations, we propose an adaptive service description and discovery framework for carrier applications, enabling the model-driven specification of services and client profiles, and also, for allowing the dynamic configuration of the services to meet specific quality requirements defined by the clients. The framework was implemented in the context of Model Driven Development, to ensure platform independence at the level of the specification of services. The framework takes the union of the point solutions offered by research proposals in the area of service description and discovery, creates an abstract model, and can compile that model to platform specific code. More specifically, services for carrier applications can be specified in a platform independent way both in terms of service signatures (syntactic properties) and in terms of the functionality and the QoS service characteristics (semantic properties). A model transformation framework allows for the creation of a platform specific model for the description of services in a specific technology platform (e.g., Web services). The framework is extensible to accommodate future extensions. In addition, as a proof of concept, we designed and developed an Eclipse Rich Client Platform (RCP) prototype tool, implementing our proposal

Chapter 59: Web Services

Web services are a cornerstone of the distributed computing infrastructure that the VO is built upon yet to the newcomer, they can appear to be a black art. This perception is not helped by the miasma of technobabble that pervades the subject and the seemingly impenetrable high priesthood of actual users. In truth, however, there is nothing conceptually difficult about web services (unsurprisingly any complexities will lie in the implementation details) nor indeed anything particularly new. A web service is a piece of software available over a network with a formal description of how it is called and what it returns that a computer can understand. Note that entities such as web servers, ftp servers and database servers do not generally qualify as they lack the standardized description of their inputs and outputs. There are prior technologies, such as RMI, CORBA, and DCOM, that have employed a similar approach but the success of web services lies predominantly in its use of standardized XML to provide a language-neutral way for representing data. In fact, the standardization goes further as web services are traditionally (or as traditionally as five years will allow) tied to a specific set of technologies (WSDL and SOAP conveyed using HTTP with an XML serialization). Alternative implementations are becoming increasingly common and we will cover some of these here. One important thing to remember in all of this, though, is that web services are meant for use by computers and not humans (unlike web pages) and this is why so much of it seems incomprehensible gobbledegook. In this chapter, we will start with an overview of the web services current in the VO and present a short guide on how to use and deploy a web service. We will then review the different approaches to web services, particularly REST and SOAP, and alternatives to XML as a data format. We will consider how web services can be formally described and discuss how advanced features such as security, state and asynchrony can be provided. Note that much of this material is not yet used in the VO but features heavily in IVOA discussions on advanced services and capabilities