Skip to main content
SpringerLink
Log in

Challenges of Testing Web Services and Security in SOA Implementations

  • Chapter
Test and Analysis of Web Services

Abstract

The World Wide Web is evolving into a medium providing a wide array of e-commerce, business-to-business, business-to-consumer, and other information-based services. In Service Oriented Architecture (SOA) technology, Web Services are emerging as the enabling technology that bridges decoupled systems across various platforms, programming languages, and applications.

The benefits of Web Services and SOA come at the expense of introducing new level of complexity to the environments where these services are deployed. This complexity is compounded by the freedom to compose Web Services to address requirements such as quality of service (QoS), availability, security, reliability, and cost. The complexity of composing services compounds the task of securing, testing, and managing the quality of the deployed services.

This chapter identifies the main security requirements for Web Services and describes how such security requirements are addressed by standards for Web Services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide.

Testing composite services in SOA environment is a discipline at an early stage of study. The chapter provides a brief overview of testing challenges that face early implementers of composite services in SOA taking into consideration Web Services security. The importance of Web Services Management systems in Web Services deployment is discussed. A step toward a fault model for Web Services is provided. The chapter investigates the use of crash-only software development techniques for enhancing the availability of Web Services. The chapter discusses security mechanisms from the point of view of interoperability of deployed services. The work discusses the concepts and strategies as developed by the WS-I Basic Security profile for enhancing the interoperability of secure Web Services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0 OASIS Standard, 1 Feb 2005.

    Google Scholar 

  2. M. Mecella, M. Ouzzani, F. Paci, E. Bertino. Access Control Enforcement for Conversational-based Services. Proceedings of 2006 WWW Conference, Edimburgh, Scotland, May 23-26, 2006.

    Google Scholar 

  3. N. Damianou ,N. Dulay, E. Lupu and M. Sloman. The Ponder Policy Specification Language. Proceedings of the 2nd IEEE International Workshop on Policies for Distributed Systems and Networks, 2001.

    Google Scholar 

  4. T. Yu, M. Winslett, K. Seamons. Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation. ACM Transactions on Information and System Security, Vol. 6, No. 1, February 2003.

    Google Scholar 

  5. E. Bertino, E. Ferrari, A.C. Squicciarini. X -TNL: An XML-based Language for Trust Negotiations. Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, 2003.

    Google Scholar 

  6. E. Bertino, A.C. Squicciarini, L. Martino, F. Paci. An Adaptive Access Control Model for Web Services. International Journal of Web Service Research, (3), 27-60 July-September 2006.

    Google Scholar 

  7. E. Bertino, B. Carminati, E. Ferrari. Merkle Tree Authentication in UDDI Registries. International Journal of Web Service Research, 1(2): 37-57(2004).

    Google Scholar 

  8. E. Bertino, J. Crampton, F. Paci. Access Control and Authorization Constraints for WS-BPEL. Submitted for publication.

    Google Scholar 

  9. OASIS Web Services Business Process Execution Language Version 2.0. Committee Specification, 31 January 2007

    Google Scholar 

  10. Schwarz, J, Bret Hartman B., Nadalin A, Kaler C., F. Hirsch, and Morrison S, , Security Challenges, Threats and Countermeasures Version 1.0, WS-I, May, 2005, http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf

    Google Scholar 

  11. Barbir, A. Gudgin M and McIntosh M., , Basic Security Profile Version 1.0, WS-I, May 2005, http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html

    Google Scholar 

  12. Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R., Web Services Security: SOAP Message Security 1.0, (WS-Security 2004), OASIS, March 2004, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

    Google Scholar 

  13. Web Services Security: SOAP Message Security 1.1, (WS-Security 2004), OASIS, February 2006, http://www.oasis-open.org/committees/download.php /16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

    Google Scholar 

  14. Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R.,, Web Services Security: UsernameToken Profile 1.1,OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-Username TokenProfile.pdf

    Google Scholar 

  15. Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R., Web Services Security: X.509 Certificate Token Profile 1.1, OASIS, February 2006, http://www.oasis-open. org/committees/download. php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf

    Google Scholar 

  16. Monzillo R., Kaler C., Nadalin A., Hallam-Naker, P.,., Web Services Security: SAML Token Profile 1.1, OASIS, February 2006, http://www.oasis-open. org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf

    Google Scholar 

  17. Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R.,, Web Services Security: Kerberos Token Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf

    Google Scholar 

  18. Monzillo R., Kaler C., Nadalin A., Hallam-Naker, P., Web Services Security: Rights Expression Language (REL) Token Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16687/oasis-wss-rel-token-profile-1.1.pdf

    Google Scholar 

  19. Hirsch, F., Web Services Security: SOAP Messages with Attachments (SwA) Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16672/wss-v1.1-spec-os-SwAProfile.pdf

    Google Scholar 

  20. Signature Syntax and Processing, W3C Recommendation February 2002, http://www.w3.org/TR/xmldsig-core/

    Google Scholar 

  21. XML Encryption Syntax and Processing, W3C Recommendation December 2002, http://www.w3.org/TR/xmlenc-core/

    Google Scholar 

  22. Nortel Unified Security Framework for corporate and government security, Nortel, http://www.nortel.com/solutions/security/collateral/nn104120-051705.pdf

    Google Scholar 

  23. SOAP Version 1.2 Part 1: Messaging Framework, W3C, June 2003, http://www.w3.org/TR/soap12-part1/

    Google Scholar 

  24. Simple Object Access Protocol (SOAP) 1.1, W3C Note, May 2000, http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

    Google Scholar 

  25. Rescorla E., HTTP Over TLS, RFC 2818, May 2000.

    Google Scholar 

  26. Web Services Description Language (WSDL) 1.1, W3C Note 15 March 2001, http://www.w3.org/TR/wsdl

    Google Scholar 

  27. Bloomberg, J., Schmelzer, R, Service Orient or Be Doomed!: How Service Orientation Will Change Your Business, SBN: 0-471-79224-1, Wiley, May 2006.

    Google Scholar 

  28. Boyer, J., Exclusive XML Canonicalization Version 1.0, W3C, July 2002, http://www.w3.org/TR/xml-exc-c14n/

    Google Scholar 

  29. Bray, T., Extensible Markup Language (XML) 1.0 (Third Edition), W3C, February 2004, http://www.w3.org/TR/REC-xml/

    Google Scholar 

  30. The Transport Layer Security (TLS) Protocol,Version 1.1, RFC 4346, April 2006.

    Google Scholar 

  31. Demchenko, Y.,, Web Services and Grid Security Vulnerabilities and Threats Analysis and Model, Grid Computing Workshop, 2005.

    Google Scholar 

  32. Nakamura, Y., Model-Driven Security Based on a Web Services Security Architecture, Proceedings of the 2005 IEEE International Conference on Services Computing (SCC’05), 2005.

    Google Scholar 

  33. Tarhini et al., Regression Testing Web Services-based Applications, Computer Systems and Applications, March 8, Page(s):163 - 170, 2006.

    Google Scholar 

  34. Benharref A. et al, A Web Service Based-Architecture for Detecting Faults in Web Services, IFIP/IEEE International Symposium on Integrated Network Management 2005.

    Google Scholar 

  35. Bhoj, P. , Management of new Federated Services, Integrated Network Management V., 1997.

    Google Scholar 

  36. Weiping He, Recovery in Web Service Applications, Proceedings of the 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE’04), 2004.

    Google Scholar 

  37. Papazoglou, M. and Heuvel, W., Web Services Management: A Survey, IEEE Internet Computing, November 2005.

    Google Scholar 

  38. Bertolino A. and Polini A., The Audition Framework for Testing Web Services Interoperability, Proceedings of the 2005 31st EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO-SEAA’05), 2005. 30. Karjoth, G., Service-oriented Assurance: Comprehensive Security by Explicit Assurances, Publications of the Network Security and Cryptography Group, 2005.

    Google Scholar 

  39. Tsai, W., Ray Paul R., Weiwei S. and Cao Z.,, Coyote: An XML-Based Framework for Web Services Testing, 7th IEEE International Symposium on High Assurance Systems Engineering (HASE’02), 2002.

    Google Scholar 

  40. Yuan Rao, Y., Feng, O, Han, J., and Li, Z.,, SX-RSRPM: A Security Integrated Model For Web Services, Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August 2004.

    Google Scholar 

  41. Bruno, M., Gerardo, C., and Di Penta, M., Using Test Cases as Contract to Ensure Service Compliance across Releases, Proc. 3rd Int’l Conf. Service Oriented Computing (ICSOC 2005), LNCS 3826, Springer, 2005, pp. 87-100.

    Google Scholar 

  42. Tsai, W., Paul, R, Cao, Z., L. Yu, L., A. Saimi, A. and B. Xiao, B., . Verification of Web Services using an enhanced UDDI server. In Proc. of WORDS 2003, pages 131-138, Jan., 15-17 2003. Guadalajara, Mexico.

    Google Scholar 

  43. Tsai, W., Paul R., Wei S. and Cao Z. Scenario-based Web Service testing with distributed agents. IEICE Transaction on Information and System, E86-D(10):2130-2144, 2003.

    Google Scholar 

  44. Xu, W., Offutt, J., Juan Luo, J., Testing Web Services by XML Perturbation, Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), 2005.

    Google Scholar 

  45. Yu, W., Supthaweesuk, P., and Aravind, D. Trustworthy Web Services Based on Testing, Proceedings of the 2005 IEEE International Workshop on Service-Oriented System Engineering (SOSE’05), 2005.

    Google Scholar 

  46. Mei H. and Zhang L., A Framework for Testing Web Services and Its Supporting Tool, Proceedings of the 2005 IEEE International Workshop on Service-Oriented System Engineering (SOSE’05), 2005.

    Google Scholar 

  47. Canfora G. and Di Penta M., Testing Services and Service-Centric Systems: Challenges and Opportunities, IT Pro Published by the IEEE Computer Society, April 2006.

    Google Scholar 

  48. Zapthink, www.zapthink.org

    Google Scholar 

  49. Fox A. and D. Patterson D., When does fast recovery trump high reliability? In 2nd Workshop on Evaluating and Architecting Systems for Dependability (EASY), 2002.

    Google Scholar 

  50. Candea G. and A. Fox A., Crash-only software. In 9th Workshop on Hot Topics in Operating Systems, 2003.

    Google Scholar 

  51. Candea G. Et, Microreboot-a technique for cheap recovery. In Proceedings of the 6th Symposium on Operating Systems Design and Implementation, 2004.

    Google Scholar 

  52. Gray J., Why do computers stop and what can be done about it? In 5th Symposium on Reliability in Distributed Systems, 1986.

    Google Scholar 

  53. OASIS SOA Reference Model TC. Reference model for service-oriented architecture 1.0. Technical report, OASIS, 2006.

    Google Scholar 

  54. Fielding, R., Architectural Styles and the Design of Network-based Software Architectures. Ph.D. Dissertation. University Of California, Irvine, 2000.

    Google Scholar 

  55. K. Vaidyanathan, K. et al., Analysis and implementation of software rejuvenation in cluster systems. In SIGMETRICS ’01: Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 62-71, New York, NY, USA, 2001. ACM Press.

    Google Scholar 

  56. OASIS (www.oasis-open.org) Web Services Reliable Exchange Technical Committe (WS-SX). 49. W3C (www.w3.org ) WS-Policy WG.

    Google Scholar 

  57. IBM; The Enterprise Privacy Authorization Language (EPAL 1.1) - Reader’s Guide to the Documentation.

    Google Scholar 

  58. OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0 OASIS Standard, 1 Feb 2005.

    Google Scholar 

  59. T. Yu, M. Winslett, K. Seamons. Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation. ACM Transactions on Information and System Security, Vol. 6, No. 1, February 2003.

    Google Scholar 

  60. OASIS (www.oasis-open.org) WS-BPEL TC.

    Google Scholar 

  61. Mecella, M., Ouzzani, M., Paci, F., Bertino, E. Access Control Enforcement for Conversation-based Web Services. Proceedings of the 2006 WWW Conference, Edinburgh, Scotland, May 23-26, 2006.

    Google Scholar 

  62. Bertino, E., Crampton J.,, and Paci F. Access Control and Authorization Constraints for WS-BPEL. Submitted for publication.

    Google Scholar 

  63. Bertino, E., B. Carminat, and E. Ferrari, E. Merkle Tree Authentication in UDDI Registries. International Journal of Web Service Research, 1(2): 37-57 (2004).

    Google Scholar 

  64. Liberty Alliance Project - Introduction to the Liberty Alliance Identity Architecture Revision 1.0 March, 2003

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Nortel, 3500 Carling Avenue, Ottawa, Canada

    Abbie Barbir & Chris Hobbs

  2. Department of Computer Science and CERIAS, Purdue University, West Lafayette, Indiana, USA

    Elisa Bertino

  3. Nokia, 5 Wayside Rd, Burlington, Mass, USA

    Frederick Hirsch

  4. Department of Computer Technology and Cyber Center, Purdue University, West Lafayette, Indiana, USA

    Lorenzo Martino

Authors
  1. Abbie Barbir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chris Hobbs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frederick Hirsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lorenzo Martino
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipto. Elettronica Informazione, Politecnico di Milano, Piazza Leonardo da Vinci 32, 20133 Milano, Italy

    Luciano Baresi  & Elisabetta Di Nitto  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Barbir, A., Hobbs, C., Bertino, E., Hirsch, F., Martino, L. (2007). Challenges of Testing Web Services and Security in SOA Implementations. In: Baresi, L., Nitto, E.D. (eds) Test and Analysis of Web Services. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72912-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-72912-9_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-72911-2

  • Online ISBN: 978-3-540-72912-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation