Syntactic Validation of Web Services Security Policies

  • Yuichi Nakamura
  • Fumiko Sato
  • Hyen-Vui Chung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4749)


The Service-Oriented Architecture (SOA) makes application development flexible in such a way that services are composed in a highly distributed manner. However, because of the flexibility, it is often hard for users to define application configurations properly. Regarding the security concerns we address in this paper, though WS-SecurityPolicy provides a standard way to describe security policies, it is difficult for users to make sure that the defined policies are valid. In this paper, we discuss the validation of WS-SecurityPolicy in the context of Service Component Architecture, and propose a method called syntactic validation. Most enterprises have security guidelines, some of which can be described in the format of Web services security messages. There also exist standard profiles for Web services such as the WS-I Basic Security Profile that also prescribes message formats. Since those guidelines and profiles are based on accepted best practices, the syntactic validation is sufficiently effective for practical use to prevent security vulnerabilities.


Security Policy Predicate Logic Prolog Program Soap Message Service Component Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    A CBDI Report Series – Guiding the Transition to Web Services and SOA,
  2. 2.
    Devanbu, P., Stubblebine, D.: Software Engineering for Security: a Roadmap. In: ICSE 2000 (2000)Google Scholar
  3. 3.
    Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)Google Scholar
  4. 4.
    SCA Service Component Architecture: Assembly Model Specification, Version 1.00, (March 15, 2007)Google Scholar
  5. 5.
    SCA Policy Framework: Version 1.00 (March 2007)Google Scholar
  6. 6.
    WS-SecurityPolicy v1.2, Committee Specification (April 30, 2007),
  7. 7.
    Tatsubori, M., Imamura, T., Nakamura, Y.: Best Practice Patterns and Tool Support for Configuring Secure Web Services Messaging. In: ICWS 2004 (2004)Google Scholar
  8. 8.
    Nakamura, Y., Tatsubori, M., Imamura, T., Ono, K.: Model-Driven Security Based on a Web Services Security Architecture. In: International Conference on Service Computing (2005)Google Scholar
  9. 9.
  10. 10.
    Web Services Security: SOAP Message Security 1.1Google Scholar
  11. 11.
    Basic Security Profile Version 1.0, Final Material (March 30, 2003) Google Scholar
  12. 12.
    W3C Candidate Recommendation “Web Services Policy 1.5 –Framework” (February 28, 2007),
  13. 13.
    WS-Trust 1.3 OASIS Standard (March 19, 2007)Google Scholar
  14. 14.
    WS-SecureConversation 1.3 OASIS Standard (March 1, 2007)Google Scholar
  15. 15.
    Eastlake, D., Solo, J.R., Bartel, M., Boyer, J., Fox, B., Simon, E.: XML Signature Syntax and Processing, W3C Recommendation (February 12, 2002)Google Scholar
  16. 16.
    XML Encryption Syntax and Processing, W3C Recommendation (December 10, 2002)Google Scholar
  17. 17.
    Web Services Security, UsernameToken Profile 1.1Google Scholar
  18. 18.
    Web Services Security: X.509 Certificate Token Profile 1.1Google Scholar
  19. 19.
  20. 20.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of UML2002 (2002)Google Scholar
  21. 21.
    Deubler, M., Grünbauer, J., Jürjens, J., Wimmel, G.: Sound Development of Secure Service-based Systems. In: ICSOC (2004)Google Scholar
  22. 22.
    McMillan, K.: Symbolic Model Checking. Kluwer Academic Publishers, Boston (1993)zbMATHGoogle Scholar
  23. 23.
    Bhargavan, K., Fournet, C., Gordon, A.D.: Verifying policy-based security for web services. In: CCS 2004. Proceedings of the 11th ACM conference on Computer and communications security, pp. 268–277. ACM Press, New York (2004)CrossRefGoogle Scholar
  24. 24.
    Web Services Security Policy Language (WS-SecurityPolicy) (December 18, 2002),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Yuichi Nakamura
    • 1
  • Fumiko Sato
    • 1
  • Hyen-Vui Chung
    • 2
  1. 1.IBM Research, Tokyo Research Laboratory, 1623-14 Shimo-tsuruma, Yamato, Kanagawa, 242-0001Japan
  2. 2.IBM Software Group, Web Service Security Development, 11501 Burnet Road, Austin, TX, 78758-3400USA

Personalised recommendations