BizTalk Utilities CV ,   Jobs ,   Code library
 
Home Page


Add/Edit your code items
Search the code library
Browse for the code library

WCF, WS, SOAP

WCF, WS, SOAP

WCF, WS, SOAP Contents

What is a XML Web Service?
 
 

<< UncategorizedXALAN >>

By sridevi krishnan
First Posted 01/08/2003
Times viewed 300

Security Model for Web Services

Summary A key benefit of the emerging web services architecture is the ability to deliver integrated, interoperable software solutions using web-based standards. Ensuring the security of web services through a comprehensive security model is critical, both for organizations and their customers. This article discusses a basic security model for web services.

Web services are application components whose functionality and interfaces are exposed to potential users through the application of existing and emerging Web technology standards including XML, SOAP, WSDL, and HTTP. In contrast to Web sites, browser-based interactions or platform-dependent technologies, Web services are services offered computer-to-computer, via defined formats and protocols, in a platform-independent and language-neutral manner. A key benefit of the emerging web services architecture is the ability to deliver integrated, interoperable software solutions using web-based standards. Ensuring the security of web services through a comprehensive security model is critical, both for organizations and their customers. Unrestricted access and lack of an audit trail results in increased threat to the integrity and confidentiality of a business. The current Web Services standards that have achieved industry consensus (SOAP, UDDI & WSDL - All built on a foundation of XML) do not offer any specific provisions for security. A truly effective security model should exhibit the following features: 1.End-End security context as opposed to point-point security 2.Controlled access to data and applications 3.Time bound client-server interactions 4.Record of all client-server interactions In today’s business world, only few web services will want to make themselves available to any client that happens to come calling. Client authentication is necessary to ensure that only legitimate clients can use the service. The rest need to be denied access to the service. Added to this is a requirement to authorize the operations initiated by the client. Few companies would want to give complete access to all the calling clients. To complete the model, a chronological record of who, what and when is critical. Given this requirement, how are we going to obtain the login credentials from the client application to the web service? We have two options here: SOAP Header, SOAP Body. Either mode, the web service will be able to read the header for the login information. The next issue here is how to maintain a session once the client is authenticated. To solve this, we may employ token-based security model. Upon successful authentication of the client application, a security token [specifically a sort-of GUID that gets generated upon successful validation that is encrypted using a symmetric cryptographic algorithm] may be returned to the client application. The Client is now required to associate this security token with all of its subsequent web service requests. To prevent hackers from using hijacked tokens, a time-stamp may be associated [typically 30 minutes] with the tokens. Thus a token based mechanism guarantees client authentication. Authentication by itself does not guarantee a complete security model. Authorization [a process of determining the entitlements of the requestor] is a key security element that together with Authentication minimizes external attacks and guarantees controlled access to data. Once a principal’s identity is authenticated, authorization decisions can be made. It is common for clients to have different degrees of access. For example, some clients may be allowed full access while others may be restricted to a read-only access. This policy gets extended to method invocations on web services. Access is typically determined by checking information about the principal against some access control information, such as an Access Control List [ACL]. The request is either granted or denied. A request that is granted proceeds in the nominal execution path while a denial message is communicated for denied requests. Authentication and Authorization together guarantee controlled access to critical data. This in itself does not completely guarantee a comprehensive security model. Lack of data trail that would govern “Who,What and When”, could still result in a threat to integrity and confidentiality of a business. Without a record of who did what and when, data and application thefts would go unnoticed by the administrator but the business will sure feel it. Thus, Auditing is a very important security component. While Authentication and Authorization minimizes external threats and attacks, Auditing facilitates easier recovery from attacks. Companies could use the chronological record of all client-server interactions to conduct post analysis. Thus, this article discussed the motivation behind developing a security model for Web Services together with the details of implementing a token-based security model that addresses the three major security components, namely Authentication, Authorization and Auditing.

Rate this article on a scale of 1 to 10 (0 votes, average 0)

Your vote :  

<< UncategorizedXALAN >>



Leave a comment for this article
Your name
Your email (optional)
Your comment
Optional: Upload an attachment
Enter the code shown:

 
 

    Email TopXML