Abstract
The World Wide Web is evolving into a medium providing a wide array of e-commerce, business-to-business, business-to-consumer, and other information-based services. In Service Oriented Architecture (SOA) technology, Web Services are emerging as the enabling technology that bridges decoupled systems across various platforms, programming languages, and applications.
The benefits of Web Services and SOA come at the expense of introducing new level of complexity to the environments where these services are deployed. This complexity is compounded by the freedom to compose Web Services to address requirements such as quality of service (QoS), availability, security, reliability, and cost. The complexity of composing services compounds the task of securing, testing, and managing the quality of the deployed services.
This chapter identifies the main security requirements for Web Services and describes how such security requirements are addressed by standards for Web Services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide.
Testing composite services in SOA environment is a discipline at an early stage of study. The chapter provides a brief overview of testing challenges that face early implementers of composite services in SOA taking into consideration Web Services security. The importance of Web Services Management systems in Web Services deployment is discussed. A step toward a fault model for Web Services is provided. The chapter investigates the use of crash-only software development techniques for enhancing the availability of Web Services. The chapter discusses security mechanisms from the point of view of interoperability of deployed services. The work discusses the concepts and strategies as developed by the WS-I Basic Security profile for enhancing the interoperability of secure Web Services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0 OASIS Standard, 1 Feb 2005.
M. Mecella, M. Ouzzani, F. Paci, E. Bertino. Access Control Enforcement for Conversational-based Services. Proceedings of 2006 WWW Conference, Edimburgh, Scotland, May 23-26, 2006.
N. Damianou ,N. Dulay, E. Lupu and M. Sloman. The Ponder Policy Specification Language. Proceedings of the 2nd IEEE International Workshop on Policies for Distributed Systems and Networks, 2001.
T. Yu, M. Winslett, K. Seamons. Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation. ACM Transactions on Information and System Security, Vol. 6, No. 1, February 2003.
E. Bertino, E. Ferrari, A.C. Squicciarini. X -TNL: An XML-based Language for Trust Negotiations. Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, 2003.
E. Bertino, A.C. Squicciarini, L. Martino, F. Paci. An Adaptive Access Control Model for Web Services. International Journal of Web Service Research, (3), 27-60 July-September 2006.
E. Bertino, B. Carminati, E. Ferrari. Merkle Tree Authentication in UDDI Registries. International Journal of Web Service Research, 1(2): 37-57(2004).
E. Bertino, J. Crampton, F. Paci. Access Control and Authorization Constraints for WS-BPEL. Submitted for publication.
OASIS Web Services Business Process Execution Language Version 2.0. Committee Specification, 31 January 2007
Schwarz, J, Bret Hartman B., Nadalin A, Kaler C., F. Hirsch, and Morrison S, , Security Challenges, Threats and Countermeasures Version 1.0, WS-I, May, 2005, http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf
Barbir, A. Gudgin M and McIntosh M., , Basic Security Profile Version 1.0, WS-I, May 2005, http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html
Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R., Web Services Security: SOAP Message Security 1.0, (WS-Security 2004), OASIS, March 2004, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
Web Services Security: SOAP Message Security 1.1, (WS-Security 2004), OASIS, February 2006, http://www.oasis-open.org/committees/download.php /16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R.,, Web Services Security: UsernameToken Profile 1.1,OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-Username TokenProfile.pdf
Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R., Web Services Security: X.509 Certificate Token Profile 1.1, OASIS, February 2006, http://www.oasis-open. org/committees/download. php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf
Monzillo R., Kaler C., Nadalin A., Hallam-Naker, P.,., Web Services Security: SAML Token Profile 1.1, OASIS, February 2006, http://www.oasis-open. org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
Nadalin, A., Kaler C., Hallam-Naker, P., Monzillo R.,, Web Services Security: Kerberos Token Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf
Monzillo R., Kaler C., Nadalin A., Hallam-Naker, P., Web Services Security: Rights Expression Language (REL) Token Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16687/oasis-wss-rel-token-profile-1.1.pdf
Hirsch, F., Web Services Security: SOAP Messages with Attachments (SwA) Profile 1.1, OASIS, February 2006, http://www.oasis-open.org/committees/download.php/16672/wss-v1.1-spec-os-SwAProfile.pdf
Signature Syntax and Processing, W3C Recommendation February 2002, http://www.w3.org/TR/xmldsig-core/
XML Encryption Syntax and Processing, W3C Recommendation December 2002, http://www.w3.org/TR/xmlenc-core/
Nortel Unified Security Framework for corporate and government security, Nortel, http://www.nortel.com/solutions/security/collateral/nn104120-051705.pdf
SOAP Version 1.2 Part 1: Messaging Framework, W3C, June 2003, http://www.w3.org/TR/soap12-part1/
Simple Object Access Protocol (SOAP) 1.1, W3C Note, May 2000, http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
Rescorla E., HTTP Over TLS, RFC 2818, May 2000.
Web Services Description Language (WSDL) 1.1, W3C Note 15 March 2001, http://www.w3.org/TR/wsdl
Bloomberg, J., Schmelzer, R, Service Orient or Be Doomed!: How Service Orientation Will Change Your Business, SBN: 0-471-79224-1, Wiley, May 2006.
Boyer, J., Exclusive XML Canonicalization Version 1.0, W3C, July 2002, http://www.w3.org/TR/xml-exc-c14n/
Bray, T., Extensible Markup Language (XML) 1.0 (Third Edition), W3C, February 2004, http://www.w3.org/TR/REC-xml/
The Transport Layer Security (TLS) Protocol,Version 1.1, RFC 4346, April 2006.
Demchenko, Y.,, Web Services and Grid Security Vulnerabilities and Threats Analysis and Model, Grid Computing Workshop, 2005.
Nakamura, Y., Model-Driven Security Based on a Web Services Security Architecture, Proceedings of the 2005 IEEE International Conference on Services Computing (SCC’05), 2005.
Tarhini et al., Regression Testing Web Services-based Applications, Computer Systems and Applications, March 8, Page(s):163 - 170, 2006.
Benharref A. et al, A Web Service Based-Architecture for Detecting Faults in Web Services, IFIP/IEEE International Symposium on Integrated Network Management 2005.
Bhoj, P. , Management of new Federated Services, Integrated Network Management V., 1997.
Weiping He, Recovery in Web Service Applications, Proceedings of the 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE’04), 2004.
Papazoglou, M. and Heuvel, W., Web Services Management: A Survey, IEEE Internet Computing, November 2005.
Bertolino A. and Polini A., The Audition Framework for Testing Web Services Interoperability, Proceedings of the 2005 31st EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO-SEAA’05), 2005. 30. Karjoth, G., Service-oriented Assurance: Comprehensive Security by Explicit Assurances, Publications of the Network Security and Cryptography Group, 2005.
Tsai, W., Ray Paul R., Weiwei S. and Cao Z.,, Coyote: An XML-Based Framework for Web Services Testing, 7th IEEE International Symposium on High Assurance Systems Engineering (HASE’02), 2002.
Yuan Rao, Y., Feng, O, Han, J., and Li, Z.,, SX-RSRPM: A Security Integrated Model For Web Services, Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August 2004.
Bruno, M., Gerardo, C., and Di Penta, M., Using Test Cases as Contract to Ensure Service Compliance across Releases, Proc. 3rd Int’l Conf. Service Oriented Computing (ICSOC 2005), LNCS 3826, Springer, 2005, pp. 87-100.
Tsai, W., Paul, R, Cao, Z., L. Yu, L., A. Saimi, A. and B. Xiao, B., . Verification of Web Services using an enhanced UDDI server. In Proc. of WORDS 2003, pages 131-138, Jan., 15-17 2003. Guadalajara, Mexico.
Tsai, W., Paul R., Wei S. and Cao Z. Scenario-based Web Service testing with distributed agents. IEICE Transaction on Information and System, E86-D(10):2130-2144, 2003.
Xu, W., Offutt, J., Juan Luo, J., Testing Web Services by XML Perturbation, Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), 2005.
Yu, W., Supthaweesuk, P., and Aravind, D. Trustworthy Web Services Based on Testing, Proceedings of the 2005 IEEE International Workshop on Service-Oriented System Engineering (SOSE’05), 2005.
Mei H. and Zhang L., A Framework for Testing Web Services and Its Supporting Tool, Proceedings of the 2005 IEEE International Workshop on Service-Oriented System Engineering (SOSE’05), 2005.
Canfora G. and Di Penta M., Testing Services and Service-Centric Systems: Challenges and Opportunities, IT Pro Published by the IEEE Computer Society, April 2006.
Zapthink, www.zapthink.org
Fox A. and D. Patterson D., When does fast recovery trump high reliability? In 2nd Workshop on Evaluating and Architecting Systems for Dependability (EASY), 2002.
Candea G. and A. Fox A., Crash-only software. In 9th Workshop on Hot Topics in Operating Systems, 2003.
Candea G. Et, Microreboot-a technique for cheap recovery. In Proceedings of the 6th Symposium on Operating Systems Design and Implementation, 2004.
Gray J., Why do computers stop and what can be done about it? In 5th Symposium on Reliability in Distributed Systems, 1986.
OASIS SOA Reference Model TC. Reference model for service-oriented architecture 1.0. Technical report, OASIS, 2006.
Fielding, R., Architectural Styles and the Design of Network-based Software Architectures. Ph.D. Dissertation. University Of California, Irvine, 2000.
K. Vaidyanathan, K. et al., Analysis and implementation of software rejuvenation in cluster systems. In SIGMETRICS ’01: Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 62-71, New York, NY, USA, 2001. ACM Press.
OASIS (www.oasis-open.org) Web Services Reliable Exchange Technical Committe (WS-SX). 49. W3C (www.w3.org ) WS-Policy WG.
IBM; The Enterprise Privacy Authorization Language (EPAL 1.1) - Reader’s Guide to the Documentation.
OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0 OASIS Standard, 1 Feb 2005.
T. Yu, M. Winslett, K. Seamons. Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation. ACM Transactions on Information and System Security, Vol. 6, No. 1, February 2003.
OASIS (www.oasis-open.org) WS-BPEL TC.
Mecella, M., Ouzzani, M., Paci, F., Bertino, E. Access Control Enforcement for Conversation-based Web Services. Proceedings of the 2006 WWW Conference, Edinburgh, Scotland, May 23-26, 2006.
Bertino, E., Crampton J.,, and Paci F. Access Control and Authorization Constraints for WS-BPEL. Submitted for publication.
Bertino, E., B. Carminat, and E. Ferrari, E. Merkle Tree Authentication in UDDI Registries. International Journal of Web Service Research, 1(2): 37-57 (2004).
Liberty Alliance Project - Introduction to the Liberty Alliance Identity Architecture Revision 1.0 March, 2003
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Barbir, A., Hobbs, C., Bertino, E., Hirsch, F., Martino, L. (2007). Challenges of Testing Web Services and Security in SOA Implementations. In: Baresi, L., Nitto, E.D. (eds) Test and Analysis of Web Services. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72912-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-72912-9_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72911-2
Online ISBN: 978-3-540-72912-9
eBook Packages: Computer ScienceComputer Science (R0)