LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

OASIS Polishing Security Specs for Web


Technical committees focusing on message protection

By Jeff Feinman
November 21, 2007 — 
As the use of service-oriented architecture has risen in recent years, there has been a much greater focus on tightening the security of Web services.

Since Web services are message-driven, it is necessary to protect message contents. But absent a military-grade secure connection, something has to protect messages as they move through intermediaries. The Organization for the Advancement of Structured Information Standards (OASIS) has been developing a number of specifications to help secure message-driven Web services.

There are two active technical committees within the OASIS group dealing with Web services. One is the Web Services Secure Exchange, which manages the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications. The other is WS-Federation, which only set up shop in June. The comparatively veteran Web Services Secure Exchange (WS-SX) was started in January 2006, to enable trusted SOAP message exchanges and to define security policies that govern the formats of such messages, and remains busy.

“We’re going through a second set of revisions: things that we didn’t have time to do in the first release, issues that had come up,” said Anthony Nadalin, chief security architect of IBM and technical committee member of WS-SX.

Protecting the Message
WS-Trust was updated in March, and uses tokens to protect messages. It includes a protocol that tells how to get tokens or how to use them to protect messages.

WS-SecureConversation, also updated in March, is used in conjunction with other Web service and application-specific protocols to accommodate security models and technologies. It is built on top of WS-Security to provide secure communication between services.

WS-SecurityPolicy, updated in December 2006, describes policy languages that can be applied to messages. Such languages can protect the integrity of messages, and describe the protection mechanism of Web services. Vendors can then query that policy and determine if they can abide by that policy.

WS-Federation, meanwhile, is the newest spec to hit the OASIS drawing board. Building upon the three specs that make up WS-SX, WS-Federation is meant to help implement identity federation in a Web services environment. “As we get more and more collaborative, we need ways that people can be authenticated to another domain, without having to go through the actual provisioning of the user of that domain,” Nadalin said. “The whole concept behind federation is allowing other parties or Web sites to be able to accept credentials from another party.”

Another way to ensure the security of Web services is to limit access. “You have to put in place some sort of authentication and authorization piece,” said John Carmichael, a security engineer and trainer with Security Innovation, an application security company. “There’s a couple of different ways of doing that. You can do Security Assertion Markup Language [SAML] and then Extensible Access Control Markup Language [XACML], which both give proper authentication and authorization, to determine what people are and aren’t supposed to do within Web services.”

Nadalin said that OASIS has technical committees for XACML and SAML. Both markup schemes, although not Web services as such, have their place in defining authorization and entitlement policies.


Share this link: http://www.sdtimes.com/link/31343
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading