Research Of XML And Web Services Security

As XML is simple, extensible, interoperable, reusable and open, it has great advantages in web applications and enterprise applications. It will become the standard of data exchange eventually. Web Services provides a kind of services oriented architecture-SOA, which enables the exchange of data and the remote invocation of application logic using XML messaging to move data through firewalls and between heterogeneous systems. It's really distributed, loose coupling, independent of the positions of services provider and consumer and independent of platforms. It's suitable in communications across firewall boundaries, enterprise application integration, B2B integration and software reuse. The underlying protocols of Web Services, such as WSDL, UDDI, DISCO and SOAP are all based upon XML.The wide use of XML and Web Services issues security problems.The thesis researches XML security, Web Services security and XML firewall in depth and systematically, from security specifications, existing technologies to the latest progress. It also focuses on how to put theories into practice. It designs a XML security tool, a security model of SOAP communication as well as a simple XML firewall.First this article researches XML security systematically. XML security contains data confidentiality, integrity and authentication. XML Signature defines the processing rules and syntax to wrap message integrity, message authentication, and user authentication data inside an XML format. XML Encryption specification addresses the issue of data confidentiality using encryption techniques. XKMS specifies protocols for distributing and registering public keys, suitable for use in conjunction with XML Signature and XML encryption. The article analyzes the process of designing a tool for XML security, named XML Security Guard, which can generate shared keys and secret keys, supports different algorithms. It can sign and encrypt not only a whole XML document but also part of it, like an element orelement content.Then this article focuses on Web Services security, which is in fact based on XML security. Web Services uses SOAP message to communicate. Thus the security of SOAP message is the core of Web Services security. The Web Services Security (WS-Security) specification from OASIS defines the mechanism for including integrity, confidentiality, and single message authentication features within a SOAP message. WS-Security makes use of the XML Signature and XML Encryption specifications and defines how to include digital signatures, message digests, and encrypted data in a SOAP message. It relies on XMLDS and XML encryption for low level details and defines a higher-level syntax to wrap security information inside SOAP messages. The article designs a security model of SOAP communication channel at the end of this section.Finally this article studies XML firewall. It is a kind of application-level firewall, which is used to address the security and network monitoring needs of emerging Web Services applications. It often works together with network firewall to ensure security for enterprise applications. The article demonstrates how to construct a solution to secure an E-commerce website using XML security technology and XML firewall.