Web服务安全体系结构研究

随着Web服务的普及,构建解决其各种安全问题的安全体系结构研究变得非常有意义。在分析了Web服务的基本组件、协议以及Web服务所需要的安全保证之后,提出了一种分层的安全体系结构。该体系结构充分利用了现有的安全技术和设施,综合了传输层次和SOAP层次上的安全措施来保证Web服务的安全。另外还对各层次上应采取的措施和应达到的安全性要求做了详细的分析。     

Web Services安全架构及其防火墙技术的研究

介绍了IBM和Microsoft联合开发的Web服务安全规范(WS-Security),讨论了Web Services所面临的安全挑战,最终针对潜在的安全威胁给出了一个Web Services防火墙模型及其防火墙架构.该架构采用独特的Adapter设计,可以很方便的与现有的信息安全设施整合.     

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.     

Web服务消息级安全模型的设计及评价

保证Web服务安全通信的机制有两种：传输级安全机制紧密耦合于下层平台,只能保证点到点的安全通信;而消息级安全机制能够提供异质环境的端到端安全保证.在WS-Security、SAML和XKMS等有关消息级安全的规范基础上,设计了一消息安全模型,并对其进行了安全性评价.该模型能够保证SOAP消息的机密性、完整性、不可否认性、认证和授权,能够保证Web服务的安全.     

Security architecture for virtual organizations of business web services

Virtual organizations (VO) temporarily aggregate resources of different domains to achieve a common goal. Web services are being positioned as the technological framework for achieving this aggregation in the context of cross-organizational business applications. Numerous architectures have been proposed for securing VOs, mostly for scientific research, such that they do not address all the requirements of business-oriented applications. This paper describes these additional requirements and proposes a novel architecture and approach to managing VO access control policies. Business users can focus on designing business processes, exposing web services and managing their VO partnerships, while the architecture supports and secures the web service interactions involved.     

安全Web Services体系结构的研究

目前已有的Web Services安全规范只是制定了要实现某一安全需求应该遵循的规范协议,尚没有一个被广泛接受的安全体系结构.有很多学者和组织对安全Web Services体系结构做了有益的探索,并提出了一些方案与产品,各自有不同的特点并依据不同的安全规范.基于业界主导公司所推出的WS-*规范提出了一个基于安全令牌服务器的安全Web Services体系结构,并对它的工作机制做了研究.     

Automated processing for map generalization using web services

In map generalization various operators are applied to the features of a map in order to maintain and improve the legibility of the map after the scale has been changed. These operators must be applied in the proper sequence and the quality of the results must be continuously evaluated. Cartographic constraints can be used to define the conditions that have to be met in order to make a map legible and compliant to the user needs. The combinatorial optimization approaches shown in this paper use cartographic constraints to control and restrict the selection and application of a variety of different independent generalization operators into an optimal sequence. Different optimization techniques including hill climbing, simulated annealing and genetic deep search are presented and evaluated experimentally by the example of the generalization of buildings in blocks. All algorithms used in this paper have been implemented in a web services framework. This allows the use of distributed and parallel processing in order to speed up the search for optimized generalization operator sequences.

Web服务安全性的研究与实现

研究了Web服务的安全性,介绍了Web服务的安全性需求,分析了现有安全技术保护Web服务存在的缺点和不足,在此基础上引出了WS-Security规范,并对此规范进行阐述,进而提出了一个Web服务安全性的实现方案,使用WS-Security和其它配合工具在SOAP消息中嵌入安全机制,以解决WS-Security所涉及的3个方面问题,即身份验证、签名、加密.最后使用WSE进行了实现.     

The subtle security risks of web services

Web Services have helped many organizations revitalize their legacy applications by offering a simple, language and platform independent way for applications to communicate. There are, however, many common mistakes made when implementing Web Services that create infrastructure vulnerabilities and leave applications exposed. This paper takes a look, from the developer perspective, at some of the more insidious vulnerabilities that may come bundled with web services with a view towards prevention.     

Web services and web service security standards

This paper provides a short introduction to basic web services concepts and describes in greater detail the various specifications related to reliability, transactions and in particular security which are referred to as the Microsoft/IBM WS-^* family of specifications. The authors were not involved in the development and specification of the family of WS-^* specs described in this paper.     

基于Java2安全体系结构的Web数据库安全性问题研究

在Web应用系统中,Web数据库保护是关键,通过分析Java2安全平台中的安全体系结构核心、加密体系结构和Java2安全平台扩展中的验证授权服务、安全套接扩展、加密扩展,针对Web应用系统的三层结构模型,提出了基于Java2安全体系结构中的用户验证、保护数据库连接、访问控制和审计4大机制的Web数据库安全保护措施及具体的实现方法,为用户开发Web应用系统提供参考.     

基于XACML的Web服务安全访问控制模型

Web服务已成为新一代电子商务的框架,其安全问题是不可忽视的问题,需要一种灵活高效的访问控制来保护.通过分析可扩展访问控制标记语言(XACML)和授权管理基础设施(PMI),给出了一种适合于Web服务安全的访问控制系统模型.该系统模型基于属性证书和策略集,用XACML作为描述访问控制决策的语言,适用于Web服务的动态性、异构性等特点.     

基于Web Services的图像处理系统

随着分布式应用的普及,Web Services作为一项新兴技术具有很好的发展前景。本论文首先介绍了Web Services的体系结构;随后通过一个图像缩放处理应用详细描述了构建Web Services的步骤和方法,并通过WSDL文件实现服务器端和客户端的信息交互。最后通过建立UDDI注册中心,完成Web Services的动态注册、发现和绑定,并有效地实现分布式环境下的资源共享和协同工作。     

关于Web服务组合的有效Web服务发现机制

随着Web Services的广泛流行,怎样发现适当Web Services来支持Web Services的组合已经成为一种挑战.由于传统的关键字搜索具有太低的记忆性和精确性,因此这种方法是很低效的.基于Web Services的描述信息,介绍了一种有效的Web Services发现机制.此服务发现方法是简单可用的,通过引入语义变得十分高效,因此该机制成功的在服务组合模型上得到了实现.     

A policy-based approach for strong mobility of composed Web services

This paper presents a flexible, portable, and transparent solution for strong mobility of composed Web services relying on policy-oriented techniques. The proposed approach provides a checkpoint solution based on automatic code instrumentation using correct source code transformation rules. This checkpoint technique permits to save the execution state of a mobile orchestration process as well as the execution states of its orchestrated partners. Thus, after migration, only non-executed codes will be resumed. In addition, our approach enables dynamic adaptation of the employed checkpointing and mobility techniques using aspects. For that, we use policies allowing dynamic selection of the used checkpointing and mobility techniques according to the execution context. Moreover, the proposed solution includes a module allowing the determination of the checkpointing interval satisfying QoS requirements. Experimentations show the efficiency of the proposed solution.     

在线招投标Web系统安全结构及关键技术的研究

分析了网上在线招投标系统的安全性需求，提出了一种新的用于在线招投标Web应用系统的四层安全体系结构，并定义了其各层次的功能，描述了其安全认证过程，解决了传统三层体系结构在信息系统的安全性上存在的问题和不足。同时就系统中的数据安全性、系统的认证等关键安全技术，综合应用加密和Hash算法，给出了一种在传输和存储过程中保护数据的保密性和完整性的设计方法，以防止在数据库的应用中数据被非法窃取和篡改；给出了一种基于网上在线招投标系统的不可否认数字签名认证方案，使得可在不暴露用户安全信息的前提下实现其身份认证。     

Time-constrained services: a framework for using real-time web services in industrial automation

The use of web services in industrial automation, e.g. in fully automated production processes like car manufacturing, promises simplified interaction among the manufacturing devices due to standardized protocols and increased flexibility with respect to process implementation and reengineering. Moreover, the adoption of web services as a seamless communication backbone within the overall industrial enterprise has additional benefits, such as simplified interaction with suppliers and customers (i.e. horizontal integration) and avoidance of a break in the communication paradigm within the enterprise (i.e. vertical integration). The Time-Constrained Services (TiCS) framework is a development and execution environment that empowers automation engineers to develop, deploy, publish, compose, and invoke time-constrained web services. TiCS consists of four functional layers—tool support layer, real-time infrastructural layer, real-time service layer, and hardware layer—which contain several components to meet the demands of a web service based automation infrastructure. This article gives an overview of the TiCS framework. More precisely, the general design considerations and an architectural blueprint of the TiCS framework are presented. Subsequently, selected key components of the TiCS framework are discussed in detail: the SOAP4PLC engine for equipping programmable logic controllers with a web service interface, the SOAP4IPC engine for processing web services in real-time on industrial PCs, the WS-TemporalPolicy language for describing time constraints, and the TiCS Modeler for composing time-constrained web services into a time-constrained BPEL4WS workflow.     

Cloud-based architecture for web applications with load forecasting mechanism: a use case on the e-learning services of a distant university

In cloud systems, a clear necessity emerges related to the use of efficient and scalable computing resources. For this, accurate predictions on the load of computing resources are a key. Thanks to these accurate predictions, reduced power consumption and enhanced revenue of the system can be achieved, since resources can be ready when users need them and shutdown when they are no longer needed. This work presents an architecture to manage web applications based on cloud computing, which combines both local and public cloud resources. This work also presents the algorithms needed to efficiently manage such architecture. Among them, a load forecasting algorithm has been developed based on Exponential Smoothing. An use case of the e-learning services of our University presenting the behaviour of our architecture has been evaluated through a series of simulations. Among the most remarkable results, power consumption is reduced by 32 % at the cost of 367.31 US$ a month compared with the current architecture.     

SNAP: a market-propagation architecture for knowledge processing

The semantic network array processor (SNAP), a highly parallel architecture targeted to artificial intelligence applications, and in particular natural language understanding, is presented. The knowledge is represented in a form of the semantic network. The knowledge base is distributed among the elements of the SNAP array, and the processing is performed locally where the knowledge is stored. A set of powerful instructions specific to knowledge processing is implemented directly in hardware. SNAP is packaged into 256 custom-designed chips assembled on four printed circuit boards and can store a 16 K node semantic network. SNAP is a marker propagation architecture in which the movement of markers between cells is controlled by propagation rules. Various reasoning mechanisms are implemented with these marker propagation rules