A Secure Middleware Architecture for Web Services
نویسندگان
چکیده
Current web service platforms (WSPs) often perform all web servicesrelated processing, including security-sensitive information handling, in the same protection domain. Consequently, the entire WSP may have access to securitysensitive information such as credit card numbers, forcing us to trust a large and complex piece of software. To address this problem, we propose ISO-WSP, a new middleware architecture that decomposes current WSPs into two parts executing in separate protection domains: (1) a small trusted T-WSP to handle security-sensitive data, and (2) a large, legacy untrusted U-WSP that provides the normal WSP functionality, but uses the T-WSP for security-sensitive data handling. By restricting security-sensitive data access to T-WSP, ISO-WSP reduces the software complexity of trusted code, thereby improving the testability of ISO-WSP. To achieve end-to-end security, the application code is also decomposed into two parts, isolating a small trusted part from the remaining untrusted code. The trusted part encapsulates all accesses to security-sensitive data through a Secure Functional Interface (SFI). To ease the migration of legacy applications to ISO-WSP, we developed tools to translate direct manipulations of security-sensitive data by the untrusted part into SFI invocations. Using a prototype implementation based on the Apache Axis2 WSP, we show that ISO-WSP reduces software complexity of trusted components by a factor of five, while incurring a modest performance overhead of few milliseconds per request. We also show that existing applications can be migrated to run on ISO-WSP with minimal effort: a few tens of lines of new and modified code.
منابع مشابه
On the design, implementation and application of an authorisation architecture for web services
This paper proposes an authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorisation of web services as well as the support for the management of authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has be...
متن کاملAn Authorization Architecture for Web Services
This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The p...
متن کاملTrustworthy and Secure Service-Oriented Architecture for the Internet of Things
In the Internet of Things (IoT), heterogeneous devices connect to each other and to external systems to exchange data and provide services. Given the diversity of devices, it is becoming increasingly common to establish collaborative relationships between devices to provide composite services. However, due to the high degree of heterogeneity in the IoT context, one of the most significant chall...
متن کاملA Middleware Framework for the Internet of Things
After the traditional Internet (with program-tohuman communication), and after the Internet of Services (with program-to-program communication), the Internet of Things is a new paradigm of communication aiming at integrating the state of everyday things into the digital world. But things are everywhere, have different colours, come in different flavours, so, building reliable applications that ...
متن کاملTRIUMF: A Trusted Middleware for Fault-tolerant Secure Collaborative Computing
A collaboration is an activity conducted by two or more parties to achieve a common goal. Business collaborations are becoming an essential part of emerging business models. Organizations, however, are unable to reap true benefits of collaborations because of their security and privacy concerns. TRIUMF, the Trusted Middleware for Fault-tolerant secure collaborative computing, is aimed at enabli...
متن کاملThe PsyGrid Experience: Using Web Services in the Study of Schizophrenia
The key aim of the PsyGrid project was the creation of an information system to ascertain and characterise a large, representative cohort of schizophrenics, beginning from their first episode of psychosis. The cohort was to be drawn from eight geographically dispersed regions of England, covering in total one-sixth of the entire population. In order to meet the current and future requirements w...
متن کامل