Research And Implementation Of Web Services Security Technologies

Web Services, which is issued in recent years, is a newly Web-oriented development & integration framework for distributed applications. Based on the Services-Oriented Architecture, Web Services uses the Internet's communication protocols and XML to transport messages, and represents a more loosely-coupled distributed application architecture. However, applications that build on Web Services expose their internal workflows, business processes and architectures. So, it is needed to protect them from internal or external's attacks. To guarantee Web Services security, many people are developing lots of XML-based security standards, and hope to resolve problems about authentication, access control, message-level security and data security.At first, this paper analyzes the characters of Web Services security. Then, it does some research for existed Web Services security technologies. Based on theses preparations, the paper brings forward and implements a Web Services system platform based, extendable security framework, which ensures Web Services message-level security and provides some security mechanisms such as signature, encryption, access control and audit.Subsequently, the paper describes how to design and implements the security framework. It first deeply researches into the interceptor mechanism and verifies the feasibility. Then we explains access control mechanism, researches into Role-Based Access Control, and with taking the system platform into consideration, design and implement a Web Services-oriented RBAC model, policies and its management tool.At last, we design several performance test cases. The test cases show that, with added the security mechanism, the system' performance cost has increased very much. But we can improve the security mechanism to lower the performance cost.The above achievements have been applied in the Country's 863 and 973 Plan achievements — Component Application Server "StarAppserver". They have important value and some theoretic meanings to guanrantee Web Services' message level security and access control.