LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
A knockout blow for Borland?
MicroFocus has upped its offer for Borland Software to $1.50, hoping to chase off a mystery suitor also pursuing the ALM vendor.
07/06/2009 12:26 PM EST

Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

Telerik looks to boost 3D for Silverlight
In a new release of its RadControls component suite, the company introduced a 3D charting ...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

OASIS Polishing Security Specs for Web


Technical committees focusing on message protection

By Jeff Feinman
November 21, 2007 — 
As the use of service-oriented architecture has risen in recent years, there has been a much greater focus on tightening the security of Web services.

Since Web services are message-driven, it is necessary to protect message contents. But absent a military-grade secure connection, something has to protect messages as they move through intermediaries. The Organization for the Advancement of Structured Information Standards (OASIS) has been developing a number of specifications to help secure message-driven Web services.

There are two active technical committees within the OASIS group dealing with Web services. One is the Web Services Secure Exchange, which manages the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications. The other is WS-Federation, which only set up shop in June. The comparatively veteran Web Services Secure Exchange (WS-SX) was started in January 2006, to enable trusted SOAP message exchanges and to define security policies that govern the formats of such messages, and remains busy.

“We’re going through a second set of revisions: things that we didn’t have time to do in the first release, issues that had come up,” said Anthony Nadalin, chief security architect of IBM and technical committee member of WS-SX.

Protecting the Message
WS-Trust was updated in March, and uses tokens to protect messages. It includes a protocol that tells how to get tokens or how to use them to protect messages.

WS-SecureConversation, also updated in March, is used in conjunction with other Web service and application-specific protocols to accommodate security models and technologies. It is built on top of WS-Security to provide secure communication between services.

WS-SecurityPolicy, updated in December 2006, describes policy languages that can be applied to messages. Such languages can protect the integrity of messages, and describe the protection mechanism of Web services. Vendors can then query that policy and determine if they can abide by that policy.

WS-Federation, meanwhile, is the newest spec to hit the OASIS drawing board. Building upon the three specs that make up WS-SX, WS-Federation is meant to help implement identity federation in a Web services environment. “As we get more and more collaborative, we need ways that people can be authenticated to another domain, without having to go through the actual provisioning of the user of that domain,” Nadalin said. “The whole concept behind federation is allowing other parties or Web sites to be able to accept credentials from another party.”

Another way to ensure the security of Web services is to limit access. “You have to put in place some sort of authentication and authorization piece,” said John Carmichael, a security engineer and trainer with Security Innovation, an application security company. “There’s a couple of different ways of doing that. You can do Security Assertion Markup Language [SAML] and then Extensible Access Control Markup Language [XACML], which both give proper authentication and authorization, to determine what people are and aren’t supposed to do within Web services.”

Nadalin said that OASIS has technical committees for XACML and SAML. Both markup schemes, although not Web services as such, have their place in defining authorization and entitlement policies.


Share this link: http://www.sdtimes.com/link/31343
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading