Verifying policy-based security for web services
Proceedings of the 11th ACM conference on Computer and communications security
An advisor for web services security policies
Proceedings of the 2005 workshop on Secure web services
Defeasible security policy composition for web services
Proceedings of the fourth ACM workshop on Formal methods in security
Syntactic Validation of Web Services Security Policies
ICSOC '07 Proceedings of the 5th international conference on Service-Oriented Computing
Static vs. Dynamic Validation of BSP Conformance
ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services
Hi-index | 0.00 |
Web Services Security (WS-Security) is a technology to secure the data exchanges in SOA applications. The security requirements for WS-Security are specified as a security policy expressed in Web Services Security Policy (WS-SecurityPolicy). The WS-I Basic Security Profile (BSP) describes the best-practices security practices for addressing the security concerns of WS-Security. It is important to prepare BSP-conformant security policies, but it is quite hard for developers to create valid security polices because the security policy representations are complex and difficult to fully understand. In this paper, we present a validation technology for security policy conformance with WS-Security messages. We introduce an Internal Representation (IR) representing a security policy and its validation rules, and a security policy is known to be valid if it conforms to the rules after the policy is transformed into the IR. We demonstrate the effectiveness of our validation technology and evaluate its performance on a prototype implementation. Our technology makes it possible for a developer without deep knowledge of WS-Security and WS-SecurityPolicy to statically check if a policy specifies appropriate security requirements.